Edit tour

Windows Analysis Report
epht1Y3TGZ.exe

Overview

General Information

Sample name:	epht1Y3TGZ.exe renamed because original name is a hash value
Original sample name:	25860926414bf43383246f7c773a8d6c.exe
Analysis ID:	1518342
MD5:	25860926414bf43383246f7c773a8d6c
SHA1:	760390a4a14df085f4c841067f52c79409cdc93e
SHA256:	a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958
Tags:	exeuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

epht1Y3TGZ.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\epht1Y3TGZ.exe" MD5: 25860926414BF43383246F7C773A8D6C)

DZIPR.exe (PID: 6864 cmdline: "C:\Users\user\DZIPR.exe" MD5: EC9CE1D67F98072281015C7726FBA245)

DZIPR.exe (PID: 7008 cmdline: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe MD5: EC9CE1D67F98072281015C7726FBA245)

cmd.exe (PID: 7064 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 2336 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

DZIPR.exe (PID: 7056 cmdline: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe MD5: EC9CE1D67F98072281015C7726FBA245)

cmd.exe (PID: 5568 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 4280 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

DZIPR.exe (PID: 764 cmdline: "C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe" MD5: EC9CE1D67F98072281015C7726FBA245)

cmd.exe (PID: 5296 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 6752 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "5.1.1 Pro", "Host:Port:Password": "fullimmersion777.com:8090:0", "Assigned name": "Back-September", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "hello.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "rimcsl-94LESJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\iikbjmsy	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\iikbjmsy	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\iikbjmsy	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Temp\iikbjmsy	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Temp\iikbjmsy	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\iikbjmsy	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\fsfj	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\fsfj	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\fsfj	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Temp\fsfj	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Temp\fsfj	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\fsfj	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\mtdwpx	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\mtdwpx	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\mtdwpx	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Temp\mtdwpx	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Temp\mtdwpx	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\mtdwpx	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
C:\Users\user\DZIPR.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 15 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.1739235026.0000000000401000.00000020.00000001.01000000.00000005.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x134b8:$a1: Remcos restarted by watchdog! 0x13a30:$a3: %02i:%02i:%02i:%03i
00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ab80:$a1: Remcos restarted by watchdog! 0x6b0f8:$a3: %02i:%02i:%02i:%03i
0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ab80:$a1: Remcos restarted by watchdog! 0x6b0f8:$a3: %02i:%02i:%02i:%03i
0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ab80:$a1: Remcos restarted by watchdog! 0x6b0f8:$a3: %02i:%02i:%02i:%03i
00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x134b8:$a1: Remcos restarted by watchdog! 0x13a30:$a3: %02i:%02i:%02i:%03i
0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x134b8:$a1: Remcos restarted by watchdog! 0x13a30:$a3: %02i:%02i:%02i:%03i
0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000003.1736102615.000000000277A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: DZIPR.exe PID: 6864	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7064	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: cmd.exe PID: 7064	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: cmd.exe PID: 7064	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7064	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x933b0:$a1: Remcos restarted by watchdog! 0x9390a:$a3: %02i:%02i:%02i:%03i 0x93d39:$a3: %02i:%02i:%02i:%03i
Process Memory Space: cmd.exe PID: 5568	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: cmd.exe PID: 5568	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: cmd.exe PID: 5568	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 5568	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x11607:$a1: Remcos restarted by watchdog! 0x11b61:$a3: %02i:%02i:%02i:%03i 0x11f90:$a3: %02i:%02i:%02i:%03i
Process Memory Space: explorer.exe PID: 2336	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: explorer.exe PID: 2336	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: explorer.exe PID: 2336	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: explorer.exe PID: 2336	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xa4d43:$a1: Remcos restarted by watchdog! 0xa529d:$a3: %02i:%02i:%02i:%03i 0xa56cc:$a3: %02i:%02i:%02i:%03i
Process Memory Space: explorer.exe PID: 4280	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: explorer.exe PID: 4280	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: explorer.exe PID: 4280	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: explorer.exe PID: 4280	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xefb3e:$a1: Remcos restarted by watchdog! 0xf0098:$a3: %02i:%02i:%02i:%03i 0xf04c7:$a3: %02i:%02i:%02i:%03i
Process Memory Space: cmd.exe PID: 5296	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: cmd.exe PID: 5296	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: cmd.exe PID: 5296	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 5296	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x7a60a:$a1: Remcos restarted by watchdog! 0x7ab64:$a3: %02i:%02i:%02i:%03i 0x7af93:$a3: %02i:%02i:%02i:%03i
Process Memory Space: explorer.exe PID: 6752	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: explorer.exe PID: 6752	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: explorer.exe PID: 6752	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: explorer.exe PID: 6752	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6eaa:$a1: Remcos restarted by watchdog! 0x7404:$a3: %02i:%02i:%02i:%03i 0x7833:$a3: %02i:%02i:%02i:%03i
Click to see the 53 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.cmd.exe.5155b57.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.cmd.exe.5155b57.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
1.2.DZIPR.exe.358b5ce.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.DZIPR.exe.358b5ce.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
1.2.DZIPR.exe.358a9ce.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.DZIPR.exe.358a9ce.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
15.2.cmd.exe.5156757.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.cmd.exe.5156757.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
10.2.cmd.exe.51a1b57.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.cmd.exe.51a1b57.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
12.2.explorer.exe.461e757.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.explorer.exe.461e757.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
13.2.explorer.exe.48a2757.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.explorer.exe.48a2757.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
12.2.explorer.exe.45d8a8a.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.explorer.exe.45d8a8a.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
1.2.DZIPR.exe.3545901.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.DZIPR.exe.3545901.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
3.2.cmd.exe.5c300c8.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.cmd.exe.5c300c8.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.cmd.exe.5c300c8.7.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.5c300c8.7.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
3.2.cmd.exe.5c300c8.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
3.2.cmd.exe.5c300c8.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
12.2.explorer.exe.461db57.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.explorer.exe.461db57.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
10.2.cmd.exe.515ca8a.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.cmd.exe.515ca8a.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
10.2.cmd.exe.51a2757.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.cmd.exe.51a2757.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
15.2.cmd.exe.56c00c8.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.2.cmd.exe.56c00c8.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.cmd.exe.56c00c8.7.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.cmd.exe.56c00c8.7.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
15.2.cmd.exe.56c00c8.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
15.2.cmd.exe.56c00c8.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
15.2.cmd.exe.56c00c8.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
15.2.cmd.exe.56c00c8.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.cmd.exe.56c00c8.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.cmd.exe.56c00c8.7.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
15.2.cmd.exe.56c00c8.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
15.2.cmd.exe.56c00c8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
3.2.cmd.exe.5219b57.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.5219b57.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
13.2.explorer.exe.48a1b57.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.explorer.exe.48a1b57.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
10.2.cmd.exe.57000c8.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.cmd.exe.57000c8.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.cmd.exe.57000c8.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.cmd.exe.57000c8.7.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
10.2.cmd.exe.57000c8.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
10.2.cmd.exe.57000c8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
3.2.cmd.exe.5c300c8.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.cmd.exe.5c300c8.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.cmd.exe.5c300c8.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.5c300c8.7.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
3.2.cmd.exe.5c300c8.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
3.2.cmd.exe.5c300c8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
17.2.explorer.exe.4fd6a8a.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.explorer.exe.4fd6a8a.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
17.2.explorer.exe.501c757.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.explorer.exe.501c757.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
15.2.cmd.exe.5110a8a.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.cmd.exe.5110a8a.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
3.2.cmd.exe.521a757.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.521a757.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0be:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d149:$s1: CoGetObject 0x1d0a2:$s2: Elevation:Administrator!new:
13.2.explorer.exe.485ca8a.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.explorer.exe.485ca8a.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
10.2.cmd.exe.57000c8.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.cmd.exe.57000c8.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.cmd.exe.57000c8.7.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.cmd.exe.57000c8.7.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
10.2.cmd.exe.57000c8.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
10.2.cmd.exe.57000c8.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
17.2.explorer.exe.501bb57.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.explorer.exe.501bb57.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcbe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd49:$s1: CoGetObject 0x1dca2:$s2: Elevation:Administrator!new:
3.2.cmd.exe.51d4a8a.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.51d4a8a.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62d8b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62e16:$s1: CoGetObject 0x62d6f:$s2: Elevation:Administrator!new:
1.0.DZIPR.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 74 entries

Sigma Signatures

System Summary

Sigma detected: Proxy Execution Via Explorer.exe

Source: Process started

Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7064, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 2336, ProcessName: explorer.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\iikbjmsy	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\fsfj	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\mtdwpx	Avira: detection malicious, Label: BDS/Backdoor.Gen

Found malware configuration

Source: 15.2.cmd.exe.56c00c8.7.raw.unpack

Malware Configuration Extractor: Remcos {"Version": "5.1.1 Pro", "Host:Port:Password": "fullimmersion777.com:8090:0", "Assigned name": "Back-September", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "hello.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "rimcsl-94LESJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\iikbjmsy	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\fsfj	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\mtdwpx	Joe Sandbox ML: detected

Source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_b1ac216d-e

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 15.2.cmd.exe.5155b57.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DZIPR.exe.358b5ce.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DZIPR.exe.358a9ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5156757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.51a1b57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.explorer.exe.461e757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.explorer.exe.48a2757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.explorer.exe.45d8a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DZIPR.exe.3545901.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.explorer.exe.461db57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.515ca8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.51a2757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5219b57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.explorer.exe.48a1b57.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.4fd6a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.501c757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5110a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.521a757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.explorer.exe.485ca8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.501bb57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.51d4a8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DZIPR.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

Source: epht1Y3TGZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: msacm32.pdbUGP source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125375066.00000000027C2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217610841.0000000002722000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2391902777.00000000030C2000.00000008.00000001.01000000.00000000.sdmp, iikbjmsy.15.dr, fsfj.3.dr, mtdwpx.10.dr
Source:	Binary string: msacm32.pdb source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125375066.00000000027C2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217610841.0000000002722000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2391902777.00000000030C2000.00000008.00000001.01000000.00000000.sdmp, iikbjmsy.15.dr, fsfj.3.dr, mtdwpx.10.dr
Source:	Binary string: wntdll.pdbUGP source: DZIPR.exe, 00000001.00000002.1766986120.0000000003637000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1767892447.0000000003990000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125654234.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125276347.0000000004E25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218110243.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217828864.0000000004DA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125976766.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125744520.0000000004714000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217750173.0000000004477000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2218057626.0000000004940000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391745006.0000000004D6D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392082164.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392370706.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392079481.0000000004C21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DZIPR.exe, 00000001.00000002.1766986120.0000000003637000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1767892447.0000000003990000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125654234.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125276347.0000000004E25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218110243.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217828864.0000000004DA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125976766.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125744520.0000000004714000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217750173.0000000004477000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2218057626.0000000004940000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391745006.0000000004D6D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392082164.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392370706.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392079481.0000000004C21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002724000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmp, DZIPR.exe, 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmp

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC8748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	1_2_6CC8748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C89748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	2_2_6C89748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F89748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	9_2_6F89748E

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: fullimmersion777.com

Source: DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m%L
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://support.datanumen.com
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: DZIPR.exe, 00000001.00000002.1766393271.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.0000000005185000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.000000000510D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.0000000004589000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.000000000480D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.00000000050C1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.repairfile.com
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.datanumen.com/zip-repair/
Source: DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.c
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC904EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	1_2_6CC904EE
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A04EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	2_2_6C8A04EE
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A04EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	9_2_6F8A04EE

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.cmd.exe.5155b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.DZIPR.exe.358b5ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.DZIPR.exe.358a9ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.5156757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.51a1b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.461e757.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.explorer.exe.48a2757.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.45d8a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.DZIPR.exe.3545901.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.461db57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.515ca8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.51a2757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5219b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.explorer.exe.48a1b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.4fd6a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.501c757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.5110a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.521a757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.explorer.exe.485ca8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.501bb57.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.51d4a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A0D95 NtdllDefWindowProc_W,	9_2_6F8A0D95
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A2932 _memset,NtdllDefWindowProc_W,	9_2_6F8A2932
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F89E5F6 NtdllDefWindowProc_W,CallWindowProcW,	9_2_6F89E5F6

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\lnfast_x64.job

Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00404FAA	0_2_00404FAA
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_0041206B	0_2_0041206B
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_0041022D	0_2_0041022D
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00411F91	0_2_00411F91
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC85E70	1_2_6CC85E70
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC863F0	1_2_6CC863F0
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC85CA0	1_2_6CC85CA0
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA2CBB	1_2_6CCA2CBB
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC96C6C	1_2_6CC96C6C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC91D85	1_2_6CC91D85
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC9AE45	1_2_6CC9AE45
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA3E3B	1_2_6CCA3E3B
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC95FB7	1_2_6CC95FB7
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA586C	1_2_6CCA586C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC96860	1_2_6CC96860
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC9648C	1_2_6CC9648C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC817D0	1_2_6CC817D0
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA3743	1_2_6CCA3743
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC81739	1_2_6CC81739
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC81730	1_2_6CC81730
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC9708C	1_2_6CC9708C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA31FF	1_2_6CCA31FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C895E70	2_2_6C895E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8963F0	2_2_6C8963F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C895CA0	2_2_6C895CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B2CBB	2_2_6C8B2CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A6C6C	2_2_6C8A6C6C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A1D85	2_2_6C8A1D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B3E3B	2_2_6C8B3E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8AAE45	2_2_6C8AAE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A5FB7	2_2_6C8A5FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B586C	2_2_6C8B586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A6860	2_2_6C8A6860
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A648C	2_2_6C8A648C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8917D0	2_2_6C8917D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C891731	2_2_6C891731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C891730	2_2_6C891730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B3743	2_2_6C8B3743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A708C	2_2_6C8A708C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B31FF	2_2_6C8B31FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F895E70	9_2_6F895E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8963F0	9_2_6F8963F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A5FB7	9_2_6F8A5FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B3E3B	9_2_6F8B3E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8AAE45	9_2_6F8AAE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A1D85	9_2_6F8A1D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F895CA0	9_2_6F895CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B2CBB	9_2_6F8B2CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A6C6C	9_2_6F8A6C6C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B586C	9_2_6F8B586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A6860	9_2_6F8A6860
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8917D0	9_2_6F8917D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F891731	9_2_6F891731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F891730	9_2_6F891730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B3743	9_2_6F8B3743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A648C	9_2_6F8A648C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B31FF	9_2_6F8B31FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A708C	9_2_6F8A708C

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\fsfj 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\iikbjmsy 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\mtdwpx 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F

Source: C:\Users\user\DZIPR.exe	Code function: String function: 6CC953BC appears 48 times
Source: C:\Users\user\DZIPR.exe	Code function: String function: 6CC950C9 appears 66 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6C8A53BC appears 48 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6F8A50C9 appears 65 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6F8A53BC appears 48 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6C8A50C9 appears 65 times
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: String function: 0040243B appears 37 times

Source: epht1Y3TGZ.exe, 00000000.00000003.1726094333.000000000252D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs epht1Y3TGZ.exe
Source: epht1Y3TGZ.exe, 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs epht1Y3TGZ.exe
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002724000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDZIPR.DLL4 vs epht1Y3TGZ.exe
Source: epht1Y3TGZ.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs epht1Y3TGZ.exe

Source: epht1Y3TGZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 15.2.cmd.exe.5155b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.DZIPR.exe.358b5ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.DZIPR.exe.358a9ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.5156757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.51a1b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.461e757.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.explorer.exe.48a2757.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.45d8a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.DZIPR.exe.3545901.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.461db57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.515ca8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.51a2757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5219b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.explorer.exe.48a1b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.4fd6a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.501c757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.5110a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.521a757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.explorer.exe.485ca8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.501bb57.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.51d4a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@22/16@0/0

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00407776

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040118A

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004034C1

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_00401BDF

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

File created: C:\Users\user\ekqqtq

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe

File created: C:\Users\user\AppData\Local\Temp\a1ba81aa

Jump to behavior

Source: Yara match	File source: 1.0.DZIPR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1739235026.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1736102615.000000000277A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\DZIPR.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, type: DROPPED

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: epht1Y3TGZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

File read: C:\Users\user\Desktop\epht1Y3TGZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\epht1Y3TGZ.exe "C:\Users\user\Desktop\epht1Y3TGZ.exe"
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"
Source: C:\Users\user\DZIPR.exe	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe "C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe"
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: oahisshhqlvln.3.dr

LNK file: ..\..\Roaming\Ruy_driverv2\DZIPR.exe

Source: epht1Y3TGZ.exe

Static file information: File size 4809996 > 1048576

Source:	Binary string: msacm32.pdbUGP source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125375066.00000000027C2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217610841.0000000002722000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2391902777.00000000030C2000.00000008.00000001.01000000.00000000.sdmp, iikbjmsy.15.dr, fsfj.3.dr, mtdwpx.10.dr
Source:	Binary string: msacm32.pdb source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125375066.00000000027C2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217610841.0000000002722000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2391902777.00000000030C2000.00000008.00000001.01000000.00000000.sdmp, iikbjmsy.15.dr, fsfj.3.dr, mtdwpx.10.dr
Source:	Binary string: wntdll.pdbUGP source: DZIPR.exe, 00000001.00000002.1766986120.0000000003637000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1767892447.0000000003990000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125654234.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125276347.0000000004E25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218110243.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217828864.0000000004DA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125976766.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125744520.0000000004714000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217750173.0000000004477000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2218057626.0000000004940000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391745006.0000000004D6D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392082164.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392370706.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392079481.0000000004C21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DZIPR.exe, 00000001.00000002.1766986120.0000000003637000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1767892447.0000000003990000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125654234.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125276347.0000000004E25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218110243.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217828864.0000000004DA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125976766.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125744520.0000000004714000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217750173.0000000004477000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2218057626.0000000004940000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391745006.0000000004D6D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392082164.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392370706.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392079481.0000000004C21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002724000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmp, DZIPR.exe, 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmp

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: DZIPR.dll.0.dr	Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: DZIPR.dll.1.dr	Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: epht1Y3TGZ.exe	Static PE information: real checksum: 0x33302 should be: 0x4a3c93
Source: mtdwpx.10.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: fsfj.3.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: iikbjmsy.15.dr	Static PE information: real checksum: 0x0 should be: 0x7d505

Source: DZIPR.exe.0.dr	Static PE information: section name: .didata
Source: DZIPR.exe.1.dr	Static PE information: section name: .didata
Source: fsfj.3.dr	Static PE information: section name: cmxvoc
Source: mtdwpx.10.dr	Static PE information: section name: cmxvoc
Source: iikbjmsy.15.dr	Static PE information: section name: cmxvoc

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00411C20 push eax; ret	0_2_00411C4E
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC95401 push ecx; ret	1_2_6CC95414
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC951A1 push ecx; ret	1_2_6CC951B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A5401 push ecx; ret	2_2_6C8A5414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A51A1 push ecx; ret	2_2_6C8A51B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A5401 push ecx; ret	9_2_6F8A5414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A51A1 push ecx; ret	9_2_6F8A51B4

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.exe	Jump to dropped file
Source: C:\Users\user\DZIPR.exe	File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Jump to dropped file
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\fsfj	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\mtdwpx	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\iikbjmsy	Jump to dropped file
Source: C:\Users\user\DZIPR.exe	File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll	Jump to dropped file

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.exe			Jump to dropped file
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\fsfj	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\mtdwpx	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\iikbjmsy	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.exe			Jump to dropped file
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\lnfast_x64.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\FSFJ
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\MTDWPX
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\IIKBJMSY

Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC8DE29 IsIconic,GetWindowPlacement,GetWindowRect,	1_2_6CC8DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C89DE29 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_6C89DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F89DE29 IsIconic,GetWindowPlacement,GetWindowRect,	9_2_6F89DE29

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\DZIPR.exe	API/Special instruction interceptor: Address: 6C977C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API/Special instruction interceptor: Address: 6C977C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API/Special instruction interceptor: Address: 6C977945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C973B54
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 2DA317

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fsfj	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mtdwpx	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iikbjmsy	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_2-19010
Source: C:\Users\user\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_1-18627
Source: C:\Users\user\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_1-19023
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_2-18614

Source: C:\Users\user\DZIPR.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API coverage: 4.7 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API coverage: 4.5 %

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC8748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	1_2_6CC8748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C89748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	2_2_6C89748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F89748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	9_2_6F89748E

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6vmware
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0

Source: C:\Users\user\DZIPR.exe	API call chain: ExitProcess graph end node	graph_1-19025
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API call chain: ExitProcess graph end node	graph_2-19012
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\DZIPR.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\DZIPR.exe

Code function: 1_2_6CC93F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_6CC93F34

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC85CA0 mov eax, dword ptr fs:[00000030h]	1_2_6CC85CA0
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC85D78 mov eax, dword ptr fs:[00000030h]	1_2_6CC85D78
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C895CA0 mov eax, dword ptr fs:[00000030h]	2_2_6C895CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C895D78 mov eax, dword ptr fs:[00000030h]	2_2_6C895D78
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F895D78 mov eax, dword ptr fs:[00000030h]	9_2_6F895D78
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F895CA0 mov eax, dword ptr fs:[00000030h]	9_2_6F895CA0

Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC9CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6CC9CE5C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC93F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6CC93F34
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC98034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6CC98034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8ACE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C8ACE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A3F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C8A3F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A8034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C8A8034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A3F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_6F8A3F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8ACE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_6F8ACE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A8034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_6F8A8034

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6F902C26	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6C8FCE9B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6F902B04	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6C8966A2	Jump to behavior
Source: C:\Users\user\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6CC866A2	Jump to behavior
Source: C:\Users\user\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6F8966A2	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2336 base: 2D79C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2336 base: 2740000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4280 base: 2D79C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4280 base: 26A0000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6752 base: 2D79C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6752 base: 3040000 value: 00	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2D79C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2740000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2D79C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 26A0000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2D79C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 3040000	Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_0040D72E cpuid

0_2_0040D72E

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	0_2_00401F9D
Source: C:\Users\user\DZIPR.exe	Code function: GetLocaleInfoA,	1_2_6CCA4DBC
Source: C:\Users\user\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	1_2_6CC889B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoA,	2_2_6C8B4DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	2_2_6C8989B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoA,	9_2_6F8B4DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	9_2_6F8989B5

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401626

Source: C:\Users\user\DZIPR.exe

Code function: 1_2_6CC9D72B __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

1_2_6CC9D72B

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00404FAA

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	131 Masquerading	1 Input Capture	2 System Time Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	11 DLL Side-Loading	1 Scheduled Task/Job	311 Process Injection	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	134 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\iikbjmsy	100%	Avira	BDS/Backdoor.Gen
C:\Users\user\AppData\Local\Temp\fsfj	100%	Avira	BDS/Backdoor.Gen
C:\Users\user\AppData\Local\Temp\mtdwpx	100%	Avira	BDS/Backdoor.Gen
C:\Users\user\AppData\Local\Temp\iikbjmsy	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\fsfj	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\mtdwpx	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	0%	ReversingLabs
C:\Users\user\DZIPR.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.symauth.com/cps0(	0%	URL Reputation	safe
http://www.vmware.com/0	0%	Avira URL Cloud	safe
https://www.digicert.c	0%	Avira URL Cloud	safe
http://www.vmware.com/0/	0%	Avira URL Cloud	safe
fullimmersion777.com	0%	Avira URL Cloud	safe
http://support.datanumen.com	0%	Avira URL Cloud	safe
http://www.repairfile.com	0%	Avira URL Cloud	safe
https://www.datanumen.com/zip-repair/	0%	Avira URL Cloud	safe
http://www.symauth.com/rpa00	0%	Avira URL Cloud	safe
http://www.info-zip.org/	0%	Avira URL Cloud	safe
http://c0rl.m%L	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
fullimmersion777.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.vmware.com/0/	DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.digicert.c	DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0	DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.datanumen.com/zip-repair/	epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://c0rl.m%L	DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.repairfile.com	DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://support.datanumen.com	DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.info-zip.org/	DZIPR.exe, 00000001.00000002.1766393271.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.0000000005185000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.000000000510D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.0000000004589000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.000000000480D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.00000000050C1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518342
Start date and time:	2024-09-25 16:05:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	epht1Y3TGZ.exe renamed because original name is a hash value
Original Sample Name:	25860926414bf43383246f7c773a8d6c.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@22/16@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 70 Number of non-executed functions: 229
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: epht1Y3TGZ.exe

Simulations

Behavior and APIs

Time	Type	Description
10:06:52	API Interceptor	5x Sleep call for process: cmd.exe modified
15:06:35	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT9131.tmp
15:06:37	Task Scheduler	Run new task: lnfast_x64 path: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
15:06:48	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oracledemo_dbg.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\fsfj	55Ka50lb6Z.bat	Get hash	malicious	Remcos	Browse
C:\Users\user\AppData\Local\Temp\iikbjmsy	55Ka50lb6Z.bat	Get hash	malicious	Remcos	Browse
C:\Users\user\AppData\Local\Temp\mtdwpx	55Ka50lb6Z.bat	Get hash	malicious	Remcos	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\a1ba81aa

Download File

Process:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
File Type:	data
Category:	dropped
Size (bytes):	1234044
Entropy (8bit):	7.664473031882771
Encrypted:	false
SSDEEP:	24576:El943dyt0CxCz0E00hQ1JwJp/rFNe3hJc4ydIUTjciCvH4FpY:863dGMZ0cGwJpjFNe3hJc4yl9CgpY
MD5:	EF58D0A24D5A6DC00BD694737B1B1311
SHA1:	EE4BCF3C7E33A2E12F8AAB667BA3084708E7669D
SHA-256:	46711314276A371E344EF069513E126BF7985DE21305C224E72F71C60C8157B1
SHA-512:	AA336264DE202255C97BA439CFFB7DA582E8B1914F61B02580F075695D41D2AFD8CB7002C221996BBEBF238448EB44ABC90C51234FC610A605A58FEB48E77458
Malicious:	false
Reputation:	low
Preview:	>C&.<C&.<C&.=C&.<C&.yC&.)C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C'...v.y.r...k.^1I.R%R.jH.R4U.n7G.Ick.S6z.O,A.\.U.n7G.I6V.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.~,o.T7O.Q\.x;&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.~,e.X"R.t-U.\-E.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&...o.y.t.a.O.O,U.[7..x.z.O"K.J,T.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.Kq...v...t&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.

C:\Users\user\AppData\Local\Temp\ae0a7065

Download File

Process:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
File Type:	data
Category:	dropped
Size (bytes):	1234044
Entropy (8bit):	7.664472828261511
Encrypted:	false
SSDEEP:	24576:kl943dyt0CxCz0E00hQ1JwJp/rFNe3hJc4ydIUTjciCvH4FpY:c63dGMZ0cGwJpjFNe3hJc4yl9CgpY
MD5:	6860961845BE2D1B60765FE94F123046
SHA1:	2E558086BCDB79B2AAAEAB90300DDD6E7F5311C2
SHA-256:	7A96978DF43E62D0890CA095F4318E7FAF8B934B26592A6A1D08C26137DD2869
SHA-512:	8B01D57FEDF989B49EA86D3294F909F5E648D795E06AEE93D04F7C3DB8BA7B8ABDF6F92009A56C3EB236F372EA8636028F6DBA5F16466934C8468103A045C4C4
Malicious:	false
Preview:	>C&.<C&.<C&.=C&.<C&.yC&.)C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C'...v.y.r...k.^1I.R%R.jH.R4U.n7G.Ick.S6z.O,A.\.U.n7G.I6V.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.~,o.T7O.Q\.x;&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.~,e.X"R.t-U.\-E.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&...o.y.t.a.O.O,U.[7..x.z.O"K.J,T.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.Kq...v...t&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.

C:\Users\user\AppData\Local\Temp\b8f7a7f7

Download File

Process:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
File Type:	data
Category:	dropped
Size (bytes):	1234044
Entropy (8bit):	7.664472185998568
Encrypted:	false
SSDEEP:	24576:Jl943dyt0CxCz0E00hQ1JwJp/rFNe3hJc4ydIUTjciCvH4FpY:763dGMZ0cGwJpjFNe3hJc4yl9CgpY
MD5:	6DEFD53A2063A4A0C46249A25FC4FE15
SHA1:	E543AD180C96BCED734841B8E8BDDF1EECF9129A
SHA-256:	6C12E719FBBF7DA82D625130440DCC4C4AB4AA6B16D82ACC4E3618EEC6DB30E2
SHA-512:	8D7244661BE6CBBC1E03E388AF35AD6CB721D49CD4ECEDA6F11BDC7FC25708E6400B7B47043CC622102686B2DB1F28EB4D2002B189984D8341783BB7F165F6F8
Malicious:	false
Preview:	>C&.<C&.<C&.=C&.<C&.yC&.)C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C'...v.y.r...k.^1I.R%R.jH.R4U.n7G.Ick.S6z.O,A.\.U.n7G.I6V.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.~,o.T7O.Q\.x;&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.~,e.X"R.t-U.\-E.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&...o.y.t.a.O.O,U.[7..x.z.O"K.J,T.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.Kq...v...t&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.

C:\Users\user\AppData\Local\Temp\fsfj

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	500224
Entropy (8bit):	6.590620352205087
Encrypted:	false
SSDEEP:	6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h
MD5:	6CA401F82443B673FCA7D7DDB0A05357
SHA1:	82E54CBDCF4E12A72A32E52E0FD03C095485B841
SHA-256:	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
SHA-512:	A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\fsfj, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\fsfj, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\fsfj, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\fsfj, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\fsfj, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\fsfj, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: 55Ka50lb6Z.bat, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~..~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..~........................PE..L...s:.Z.................r...........J............@..........................@...........................................................H.......................;..P...8...............................@............................................text....q.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....H.......J..................@..@.reloc...;.......<...N..............@..Bcmxvoc... ... ......................@...........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\iikbjmsy

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	500224
Entropy (8bit):	6.590620352205087
Encrypted:	false
SSDEEP:	6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h
MD5:	6CA401F82443B673FCA7D7DDB0A05357
SHA1:	82E54CBDCF4E12A72A32E52E0FD03C095485B841
SHA-256:	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
SHA-512:	A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: 55Ka50lb6Z.bat, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~..~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..~........................PE..L...s:.Z.................r...........J............@..........................@...........................................................H.......................;..P...8...............................@............................................text....q.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....H.......J..................@..@.reloc...;.......<...N..............@..Bcmxvoc... ... ......................@...........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mtdwpx

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	500224
Entropy (8bit):	6.590620352205087
Encrypted:	false
SSDEEP:	6144:bTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZ7AXpcrlT4h:bTlrYw1RUh3NFn+N5WfIQIjbs/Z79T4h
MD5:	6CA401F82443B673FCA7D7DDB0A05357
SHA1:	82E54CBDCF4E12A72A32E52E0FD03C095485B841
SHA-256:	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
SHA-512:	A4FE6F7E935DC83D6F6C7CA5CF62AE97B2B2FFEC1E2E075CB436CEEECC2DBB27F515A8A0F6360176FE7AE4E273C413F1E922666A016C070B399DB253AA77614C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\mtdwpx, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\mtdwpx, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\mtdwpx, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\mtdwpx, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\mtdwpx, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\mtdwpx, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: 55Ka50lb6Z.bat, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~..~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..~........................PE..L...s:.Z.................r...........J............@..........................@...........................................................H.......................;..P...8...............................@............................................text....q.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....H.......J..................@..@.reloc...;.......<...N..............@..Bcmxvoc... ... ......................@...........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\oahisshhqlvln

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 13:06:17 2024, mtime=Wed Sep 25 13:06:18 2024, atime=Wed Sep 25 10:50:28 2024, length=8767704, window=hide
Category:	dropped
Size (bytes):	887
Entropy (8bit):	5.083089062214689
Encrypted:	false
SSDEEP:	12:84tYtsa4q2P4WCQ8dY//sp6OSL6/saZE2xQR5ze2jAnmrHgdc8JsrjBmV:8MYt6qCj8+s6OsC22xqVAm+nurjBm
MD5:	B98004BE7156029147766B196D3DBE43
SHA1:	19C76031B66F62FA78EBE8E804C435732E9D44BC
SHA-256:	80B8EAB030788EC3C55735D154802EDD4C1BCEACC9FEAA836B6F08FC36078E2A
SHA-512:	71D864ED03308C7AF8D7F6B2E99E181630D851B8ACBE23049E9A24B14146506B72966DA8590800D6A67DB355C976DFDAA44EC423F212B12CF3E7965192464F53
Malicious:	false
Preview:	L..................F.... ...c...T.....K.T.......A............................:..DG..Yr?.D..U..k0.&...&......vk.v......s.T....A.T.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^9Y.p...........................%..A.p.p.D.a.t.a...B.V.1.....9Y.p..Roaming.@......CW.^9Y.p..............................R.o.a.m.i.n.g.....b.1.....9Y.p..RUY_DR~1..J......9Y.p9Y.p....i.........................R.u.y._.d.r.i.v.e.r.v.2.....\.2....9YO^ .DZIPR.exe.D......9Y.p9Y.p..........................d...D.Z.I.P.R...e.x.e.......d...............-.......c............G1......C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe..$.....\.....\.R.o.a.m.i.n.g.\.R.u.y._.d.r.i.v.e.r.v.2.\.D.Z.I.P.R...e.x.e.`.......X.......971342...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll

Download File

Process:	C:\Users\user\DZIPR.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	354304
Entropy (8bit):	6.005348176071358
Encrypted:	false
SSDEEP:	6144:GBy1KULDZ+B55Lj5mCcBKyWm4IVFWyTBBa:x255L1mCcBKyWDsy
MD5:	AD28D4167571382569D2384FFD7BD2A9
SHA1:	EFC7534BCB1645D4056702E073519F571D8DB77B
SHA-256:	F919A8E63EC0F2F05AC01A6CAB4088C13FBF14A38B071CFA9F710C9E069462EB
SHA-512:	8F28867B46DD7A801CBF70D8D7FE5F2BFB8654A417C40BA264FAF81AF8BB1A28E1A1200FDC9828A4A4C6DF0A13817055290C16F9468D311B8D8049A2439348D9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..~x..-x..-x..-_4.-...-_4.-m..-x..-...-q.X-a..-q.N-...-q.I-...-f.I-{..-q.G-v..-q._-y..-f.Y-y..-q.\-y..-Richx..-........PE..L......e...........!.....f...........I....................................................@.............................O... ................................p...&.................................. ...@...............(.......@....................text....e.......f.................. ..`.rdata..............j..............@..@.data...t~.......$..................@....rsrc...............................@..@.reloc..Rq...p...r..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe

Download File

Process:	C:\Users\user\DZIPR.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8767704
Entropy (8bit):	7.112848215947183
Encrypted:	false
SSDEEP:	196608:zoR6Nv4zX/hW/7vpqCv3wrwxd8Sr3a8i5ynKVrzzky9WD9rrBrIrrsSrCrbrCrr+:6SAzXQjkCv3wrwxd8Sr3a8i5ynKVrzzq
MD5:	EC9CE1D67F98072281015C7726FBA245
SHA1:	E89B16265ACF4A251B527DDF22830F2650987263
SHA-256:	9AB4145D5525AE741B80F4E66F505ABBA59ADCBE01868DFEF84FBE4450634CC1
SHA-512:	21DB8F3AE325021589DE9C2489AB2CE6814722A17A92476A56147478AA9767CE5C4769169F287060CC08AD76019178BA547FCEF32074EF1AFB1926845E7158E1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.../..e..................J...;.......J...... J...@.............................................@............................L..F....R...3..............(....M.@.............................L.....................,.L.......L......................text.....I.......I................. ..`.itext..l+....I..,....I............. ..`.data........ J.......J.............@....bss..........K.......K..................idata...F....L..H....K.............@....didata.......L.......L.............@....tls....@.....L...... L..................rdata........L...... L.............@..@.reloc..@.....M......"L.............@..B.rsrc.....3...R...3...Q.............@..@....................................@..@........................................................

C:\Users\user\AppData\Roaming\Ruy_driverv2\ekqqtq

Download File

Process:	C:\Users\user\DZIPR.exe
File Type:	data
Category:	dropped
Size (bytes):	975374
Entropy (8bit):	7.888212877886324
Encrypted:	false
SSDEEP:	24576:uLAGNVG5bTGfhtqkZEgJUyAre0DnrDJLJ1IC:KTp/qkqIArtHJd1IC
MD5:	4649F3A4E58C6040B07F6D486C149A71
SHA1:	64F8FC631C5FB4E5F6BC20C207047D8E2B500587
SHA-256:	5D81CA77492946AA2CFE00349342DE8CCEB317D8649BEDBFD95992DCA885F184
SHA-512:	4E1B229D30403B594E992FE0893E568161C8D901FE20461093D11159AB03B5DD410D1834BC64AC4CCC39D4F6B072946703F06EEB982D79B1C9A1B773B57013B7
Malicious:	false
Preview:	...\.L..s..J....evCX.u..qPZdT.U.pkvFSh.kJ......gu.....u...P.^O....Eg]j.t^x.JEw..U.E`^.xh.B...r........Iw.....BK..h..Pa..c.apT.F...si...Ww.Z..u.ydFAq`.TJ.G....vY`u.b....i.Z.Z.Kx..q.UP.OR.m..e.....yF..b..R.r...]s...t......g.Q..j.ekUYeV._.^F.a..B_b..d..[.Tcy....q...Y.K.Hc..W....\cdo..[jrL.vfXR_SQ.g...[....efMX..cjVl.....x.fX.NR...^..ysky..t.iD.J..TE.........w.q....f..hA..m...._.Z.k.A....Z.QCF^.UL.X..j.....`PJ..m......dlUkvE.P...jNo.W.c..Mp.v.d.G..PTkSW....iMXN.k.].....JIm..._.[.Wpb.a....C...oY...hB..ut..U.c..Ig]G.`..n....XV.qe.D...RxKT....^.wF]On.m....t.....TlESv.^Af.......M.K\....R.O.xLq.wCX.....NxHK...f...w.t.i........s.....W.x.\....[.p....bY...n....BO...W..Kc..bbO..q...`.c..Zay.i.EnZ..p...MIDQAbIt..N.yy..C...st.a.eZL...L..VYLoo.ZdAy[....ji.IpcvtNd........^g..e.Ekk..t...w.h.KtPgKl...[.J._D._.nr.ZF..Nuj...OnQ..HgG..I..xFK...Q`.A.....M....tt...Ja.K..L.j...s......ir...FT....e.Q.W...v.I.Nb.c.oGnNVCV.ojf.x...UoW.X.y...g.o.HrdM.Cga..WyJ..u.xd.AEcf.I..._._t..t.n.np..`W.GC....i..JJ...[`SVUqh...

C:\Users\user\AppData\Roaming\Ruy_driverv2\ipqtwm

Download File

Process:	C:\Users\user\DZIPR.exe
File Type:	data
Category:	dropped
Size (bytes):	72329
Entropy (8bit):	4.4816230098296295
Encrypted:	false
SSDEEP:	1536:wwBU0cfQiZJyld+smk3i92UcmUTY4bBc/UVoVJnaDa:wAU0niZJMtXi9yx84Fc/UaJnaDa
MD5:	F125E72B3968CA233EF3C7E2F4DB34E7
SHA1:	4FB34044EF18CEDBD3EDE4272C44416D3F11735C
SHA-256:	CED30560C6C0FC15CBDBDBC0D480DCA6B41CE3183057E43B419DD6814A33DB92
SHA-512:	B645D1EB685A69B9CA9BBDB1F4638AF8AE151DDFB9527C423F7779971246ED60F981CE26CE8AF2FC7B63164E7C13E9C6E98A7F148831A1E59318E60E5A39F881
Malicious:	false
Preview:	]dQ.cK.HM.oxC.bO].mQB...L.hHK....W..baW...f`kn.F.Iq.InDbX.M.J.W.CQF.]..M.....G.......J.GN......r.xZE.w.LP...h.[gx.cGq..ej..iQ.I...Q..V.....A.N..kX...ru..w.ZsOSBK..O...F..D...\Mh.q......`MjE.v...W.i.edA....UZ.x.Pf...Y.S.X...DQSG..y..GF..SD...y.pHM...mIE...].rY.jmZ.wA...eNnuh...jk.N.TI.s..W..M...xrSwCYKVq..Uf[r..Mm.uR......U.]..M.VobY...V.A.H_r....b\a..x.r.aj.P..r.O..ik.....]Lf.Ei..S..D...d.........qR..Aw.Q.QH..b...p.Of..v.p..]..t...g.lg.HD.g...O..K.CKj._...vI..Wu.sPu..PDPZ.\vvw.b...sQ.M.^.B..X...r.f.....ja..j..k.p.\J.UVg...S_Zq.c....I..hN[f..A.F_..WY.]Qr...YL.co.Y......I.......O...jG.Q.x]pp_.u^Vr..iiI..L_..SyWf`nr.b.`..e.Hm...B....y...Y.....d....qFUg.Ma..uPB_\.\..f..i..jE.v.....uxRV..[aM.l.Y..NT...vbef...bBcsRs.jW...pH.`B.FVL^.......y.....Z.....W...._eu..W.P...FYX.d..CE..dxg.....F.b^...MfysH...q.k..^..l....M...wqX.M`...B[..WN.]..M.......A.U.ZX[.n]........xTup...^y.nUgpcx..iu.`.Rv].i\b..UIwA..M..TQ.T.F...jA..p..VI.m.R..Va...V.P.H..y..vhjr....l..oZ.....[y.b.O.FA.c.DEQ]..n.ZU.Dt[Z.O.T.]...

C:\Users\user\DZIPR.dll

Download File

Process:	C:\Users\user\Desktop\epht1Y3TGZ.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	354304
Entropy (8bit):	6.005348176071358
Encrypted:	false
SSDEEP:	6144:GBy1KULDZ+B55Lj5mCcBKyWm4IVFWyTBBa:x255L1mCcBKyWDsy
MD5:	AD28D4167571382569D2384FFD7BD2A9
SHA1:	EFC7534BCB1645D4056702E073519F571D8DB77B
SHA-256:	F919A8E63EC0F2F05AC01A6CAB4088C13FBF14A38B071CFA9F710C9E069462EB
SHA-512:	8F28867B46DD7A801CBF70D8D7FE5F2BFB8654A417C40BA264FAF81AF8BB1A28E1A1200FDC9828A4A4C6DF0A13817055290C16F9468D311B8D8049A2439348D9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..~x..-x..-x..-_4.-...-_4.-m..-x..-...-q.X-a..-q.N-...-q.I-...-f.I-{..-q.G-v..-q._-y..-f.Y-y..-q.\-y..-Richx..-........PE..L......e...........!.....f...........I....................................................@.............................O... ................................p...&.................................. ...@...............(.......@....................text....e.......f.................. ..`.rdata..............j..............@..@.data...t~.......$..................@....rsrc...............................@..@.reloc..Rq...p...r..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\DZIPR.exe

Download File

Process:	C:\Users\user\Desktop\epht1Y3TGZ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8767704
Entropy (8bit):	7.112848215947183
Encrypted:	false
SSDEEP:	196608:zoR6Nv4zX/hW/7vpqCv3wrwxd8Sr3a8i5ynKVrzzky9WD9rrBrIrrsSrCrbrCrr+:6SAzXQjkCv3wrwxd8Sr3a8i5ynKVrzzq
MD5:	EC9CE1D67F98072281015C7726FBA245
SHA1:	E89B16265ACF4A251B527DDF22830F2650987263
SHA-256:	9AB4145D5525AE741B80F4E66F505ABBA59ADCBE01868DFEF84FBE4450634CC1
SHA-512:	21DB8F3AE325021589DE9C2489AB2CE6814722A17A92476A56147478AA9767CE5C4769169F287060CC08AD76019178BA547FCEF32074EF1AFB1926845E7158E1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\DZIPR.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.../..e..................J...;.......J...... J...@.............................................@............................L..F....R...3..............(....M.@.............................L.....................,.L.......L......................text.....I.......I................. ..`.itext..l+....I..,....I............. ..`.data........ J.......J.............@....bss..........K.......K..................idata...F....L..H....K.............@....didata.......L.......L.............@....tls....@.....L...... L..................rdata........L...... L.............@..@.reloc..@.....M......"L.............@..B.rsrc.....3...R...3...Q.............@..@....................................@..@........................................................

C:\Users\user\ekqqtq

Download File

Process:	C:\Users\user\Desktop\epht1Y3TGZ.exe
File Type:	data
Category:	dropped
Size (bytes):	975374
Entropy (8bit):	7.888212877886324
Encrypted:	false
SSDEEP:	24576:uLAGNVG5bTGfhtqkZEgJUyAre0DnrDJLJ1IC:KTp/qkqIArtHJd1IC
MD5:	4649F3A4E58C6040B07F6D486C149A71
SHA1:	64F8FC631C5FB4E5F6BC20C207047D8E2B500587
SHA-256:	5D81CA77492946AA2CFE00349342DE8CCEB317D8649BEDBFD95992DCA885F184
SHA-512:	4E1B229D30403B594E992FE0893E568161C8D901FE20461093D11159AB03B5DD410D1834BC64AC4CCC39D4F6B072946703F06EEB982D79B1C9A1B773B57013B7
Malicious:	false
Preview:	...\.L..s..J....evCX.u..qPZdT.U.pkvFSh.kJ......gu.....u...P.^O....Eg]j.t^x.JEw..U.E`^.xh.B...r........Iw.....BK..h..Pa..c.apT.F...si...Ww.Z..u.ydFAq`.TJ.G....vY`u.b....i.Z.Z.Kx..q.UP.OR.m..e.....yF..b..R.r...]s...t......g.Q..j.ekUYeV._.^F.a..B_b..d..[.Tcy....q...Y.K.Hc..W....\cdo..[jrL.vfXR_SQ.g...[....efMX..cjVl.....x.fX.NR...^..ysky..t.iD.J..TE.........w.q....f..hA..m...._.Z.k.A....Z.QCF^.UL.X..j.....`PJ..m......dlUkvE.P...jNo.W.c..Mp.v.d.G..PTkSW....iMXN.k.].....JIm..._.[.Wpb.a....C...oY...hB..ut..U.c..Ig]G.`..n....XV.qe.D...RxKT....^.wF]On.m....t.....TlESv.^Af.......M.K\....R.O.xLq.wCX.....NxHK...f...w.t.i........s.....W.x.\....[.p....bY...n....BO...W..Kc..bbO..q...`.c..Zay.i.EnZ..p...MIDQAbIt..N.yy..C...st.a.eZL...L..VYLoo.ZdAy[....ji.IpcvtNd........^g..e.Ekk..t...w.h.KtPgKl...[.J._D._.nr.ZF..Nuj...OnQ..HgG..I..xFK...Q`.A.....M....tt...Ja.K..L.j...s......ir...FT....e.Q.W...v.I.Nb.c.oGnNVCV.ojf.x...UoW.X.y...g.o.HrdM.Cga..WyJ..u.xd.AEcf.I..._._t..t.n.np..`W.GC....i..JJ...[`SVUqh...

C:\Users\user\ipqtwm

Download File

Process:	C:\Users\user\Desktop\epht1Y3TGZ.exe
File Type:	data
Category:	dropped
Size (bytes):	72329
Entropy (8bit):	4.4816230098296295
Encrypted:	false
SSDEEP:	1536:wwBU0cfQiZJyld+smk3i92UcmUTY4bBc/UVoVJnaDa:wAU0niZJMtXi9yx84Fc/UaJnaDa
MD5:	F125E72B3968CA233EF3C7E2F4DB34E7
SHA1:	4FB34044EF18CEDBD3EDE4272C44416D3F11735C
SHA-256:	CED30560C6C0FC15CBDBDBC0D480DCA6B41CE3183057E43B419DD6814A33DB92
SHA-512:	B645D1EB685A69B9CA9BBDB1F4638AF8AE151DDFB9527C423F7779971246ED60F981CE26CE8AF2FC7B63164E7C13E9C6E98A7F148831A1E59318E60E5A39F881
Malicious:	false
Preview:	]dQ.cK.HM.oxC.bO].mQB...L.hHK....W..baW...f`kn.F.Iq.InDbX.M.J.W.CQF.]..M.....G.......J.GN......r.xZE.w.LP...h.[gx.cGq..ej..iQ.I...Q..V.....A.N..kX...ru..w.ZsOSBK..O...F..D...\Mh.q......`MjE.v...W.i.edA....UZ.x.Pf...Y.S.X...DQSG..y..GF..SD...y.pHM...mIE...].rY.jmZ.wA...eNnuh...jk.N.TI.s..W..M...xrSwCYKVq..Uf[r..Mm.uR......U.]..M.VobY...V.A.H_r....b\a..x.r.aj.P..r.O..ik.....]Lf.Ei..S..D...d.........qR..Aw.Q.QH..b...p.Of..v.p..]..t...g.lg.HD.g...O..K.CKj._...vI..Wu.sPu..PDPZ.\vvw.b...sQ.M.^.B..X...r.f.....ja..j..k.p.\J.UVg...S_Zq.c....I..hN[f..A.F_..WY.]Qr...YL.co.Y......I.......O...jG.Q.x]pp_.u^Vr..iiI..L_..SyWf`nr.b.`..e.Hm...B....y...Y.....d....qFUg.Ma..uPB_\.\..f..i..jE.v.....uxRV..[aM.l.Y..NT...vbef...bBcsRs.jW...pH.`B.FVL^.......y.....Z.....W...._eu..W.P...FYX.d..CE..dxg.....F.b^...MfysH...q.k..^..l....M...wqX.M`...B[..WN.]..M.......A.U.ZX[.n]........xTup...^y.nUgpcx..iu.`.Rv].i\b..UIwA..M..TQ.T.F...jA..p..VI.m.R..Va...V.P.H..y..vhjr....l..oZ.....[y.b.O.FA.c.DEQ]..n.ZU.Dt[Z.O.T.]...

C:\Windows\Tasks\lnfast_x64.job

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	3.5772984365087783
Encrypted:	false
SSDEEP:	6:PRZi8fcRKUEZglJPZOjzkjTtPjgsW2YRZuy0lbo8lZP1:PRcmcRKMJs0jzvYRQVs0Zt
MD5:	D0F4475729B019BBFFDAA36502E5843E
SHA1:	D9771DD87515EA0B8A3C332E8FB7162C69940CD3
SHA-256:	09C1D502A1ABA5A0E4491661DD6B02C9C480BB847262F4164F7871DA58FC92A8
SHA-512:	3920E4A4257F684E5BF16F16E049CBFBB0EFDFA53AABEB1286DEB899FD1AE2559B91A50BCA91803F5CBA3D5B67BFC40BB9956D45FCB6B7739FB83DA5E926D138
Malicious:	false
Preview:	.......*...K.$....2RF.......<... ................ ....................6.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.R.u.y._.d.r.i.v.e.r.v.2.\.D.Z.I.P.R...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0.........4.....................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.988259707956486
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	epht1Y3TGZ.exe
File size:	4'809'996 bytes
MD5:	25860926414bf43383246f7c773a8d6c
SHA1:	760390a4a14df085f4c841067f52c79409cdc93e
SHA256:	a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958
SHA512:	61825ef1b03f5516f2820faae3dad01911054debb714b2162fd28cdc7c26199eb6174eddb3e48a4b200c350a083a561a58bd2724496fcb71e87d4492e2ec5a07
SSDEEP:	98304:+pbYDHaUeRG/GnYDievJRVrQo4QGB0s53+sTH7/93veWGLRHHk:+pbu9e+qYDiQf1hfGWsBVb/rGLhE
TLSH:	382633423350A0F6CAB8CAB36F2ED7D182B1E7B557112F4B418A1E272D536D6471B2CB
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................................0....@..........................0.......3.......................................P.............................

File Icon


Icon Hash:	d292fcd8f2f2fe1c

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007F994CC45702h
cmp dword ptr [00417710h], ebx
jne 00007F994CC455EEh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007F994CC456D4h
push 00417048h
push 00417044h
call 00007F994CC456BFh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007F994CC4568Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x18d04	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x18d04	0x18e00	9dee09854e79aa987e5336a4defda540	False	0.2433358197236181	data	5.382874846103129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a1f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.6781914893617021
RT_ICON	0x1a658	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.47068480300187615
RT_ICON	0x1b700	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.41161825726141077
RT_ICON	0x1dca8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Russian	Russia	0.3213863958431743
RT_ICON	0x21ed0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Russian	Russia	0.1865609842659411
RT_GROUP_ICON	0x326f8	0x4c	data	Russian	Russia	0.7763157894736842
RT_VERSION	0x32744	0x350	data	English	United States	0.47523584905660377
RT_MANIFEST	0x32a94	0x270	ASCII text, with very long lines (624), with no line terminators	English	United States	0.5144230769230769

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Target ID:	0
Start time:	10:06:14
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\epht1Y3TGZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\epht1Y3TGZ.exe"
Imagebase:	0x400000
File size:	4'809'996 bytes
MD5 hash:	25860926414BF43383246F7C773A8D6C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.1736102615.000000000277A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:06:15
Start date:	25/09/2024
Path:	C:\Users\user\DZIPR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\DZIPR.exe"
Imagebase:	0x400000
File size:	8'767'704 bytes
MD5 hash:	EC9CE1D67F98072281015C7726FBA245
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000000.1739235026.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\DZIPR.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:06:17
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Imagebase:	0x400000
File size:	8'767'704 bytes
MD5 hash:	EC9CE1D67F98072281015C7726FBA245
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:06:18
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:06:18
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:06:37
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Imagebase:	0x400000
File size:	8'767'704 bytes
MD5 hash:	EC9CE1D67F98072281015C7726FBA245
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:06:39
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:06:39
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:06:45
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x1f0000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:06:56
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x1f0000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:06:57
Start date:	25/09/2024
Path:	C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe"
Imagebase:	0x400000
File size:	8'767'704 bytes
MD5 hash:	EC9CE1D67F98072281015C7726FBA245
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:06:57
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:06:57
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:07:13
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x1f0000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.9%
Total number of Nodes:	1473
Total number of Limit Nodes:	20

Executed Functions

Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
Part of subcall function 00401B37: KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C

Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD

_wtol.MSVCRT ref: 0040509F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
_wtol.MSVCRT ref: 00405217
??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F

Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC

Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519

Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569

Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6

wsprintfW.USER32 ref: 00405595
_wtol.MSVCRT ref: 004057DE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
CoInitialize.OLE32(00000000), ref: 004059E9
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
GetKeyState.USER32(00000010), ref: 00405AA1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
memset.MSVCRT ref: 004060AE
ShellExecuteExW.SHELL32(?), ref: 0040617E
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
_wtol.MSVCRT ref: 00405F65
??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C

Strings

Sorry, this program requires Microsoft Windows 2000 or later., xrefs: 00406495
FinishMessage, xrefs: 00406399
SetEnvironment, xrefs: 0040586E, 0040591F
XpA, xrefs: 00405581
SelfDelete, xrefs: 0040577C, 0040640B
7zSfxString%d, xrefs: 0040558F
x64, xrefs: 00405FF7
GUIMode, xrefs: 004056FF
;!@InstallEnd@!, xrefs: 00405431
nowait, xrefs: 00405F03
OverwriteMode, xrefs: 004056BB
InstallPath, xrefs: 004059F3
del, xrefs: 00405F9A
IA, xrefs: 004055D2, 004058FB
shc, xrefs: 00405F7A
AutoInstall, xrefs: 00405AC1, 00405B1C, 00405ECC
i386, xrefs: 00405FD1
x86, xrefs: 00405FBE
BeginPrompt, xrefs: 00405A71
7ZipSfx.%03x, xrefs: 00405C77
sfxconfig, xrefs: 0040527C, 00405488
Delete, xrefs: 00406352
7-Zip SFX, xrefs: 00406490
hidcon, xrefs: 00405E5E
GUIFlags, xrefs: 0040571F
4DA, xrefs: 00406034
ExecuteParameters, xrefs: 0040605D
sfxversion, xrefs: 004050D6
4AA, xrefs: 0040504C
Shortcut, xrefs: 0040632A
HelpText, xrefs: 0040595E
;!@Install@!UTF-8!, xrefs: 00405436
RunProgram, xrefs: 00405A66, 00405B6B, 00405B79
setup.exe, xrefs: 00405DE5, 00405DEA, 00405E45
@DA, xrefs: 00405699
amd64, xrefs: 00405FE4
ExecuteFile, xrefs: 00405A61, 00405B47, 00405B55
MiscFlags, xrefs: 0040573F
forcenowait, xrefs: 00405F25

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerlstrcpymemcmpwsprintf$AttributesCallbackCloseCommandCreateCurrentDirectoryDispatchDispatcherErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateUserVersionWaitWindow_wcsnicmpmemmovememsetwvsprintf
String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
API String ID: 154539431-3058303289
Opcode ID: 926e16e0d72d3398af4091c0d2fb4f0e89ce66b1218389f87f1cbe10f28a7287
Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
Opcode Fuzzy Hash: 926e16e0d72d3398af4091c0d2fb4f0e89ce66b1218389f87f1cbe10f28a7287
Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D

Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
Opcode Fuzzy Hash: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58

Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
SetLastError.KERNEL32(00000010), ref: 0040303D

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E

Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
SendMessageW.USER32(00008001,00000000,?), ref: 004011FF

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: DiskFreeMessageSendSpace
String ID:
API String ID: 696007252-0
Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D

Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00411E1C
__p__fmode.MSVCRT ref: 00411E31
__p__commode.MSVCRT ref: 00411E3F
__setusermatherr.MSVCRT ref: 00411E6B
_initterm.MSVCRT ref: 00411E81
__getmainargs.MSVCRT ref: 00411EA4
_initterm.MSVCRT ref: 00411EB4
GetStartupInfoA.KERNEL32(?), ref: 00411EF3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00411F17
exit.KERNELBASE ref: 00411F27
_XcptFilter.MSVCRT ref: 00411F39

Strings

HpA, xrefs: 00411E9C, 00411E9F

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: HpA
API String ID: 801014965-2938899866
Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58

Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
DispatchMessageW.USER32(?), ref: 00401B89
KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99

Strings

Static, xrefs: 00401B5A

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: MessageTimer$CallbackCreateDispatchDispatcherHandleKillModuleUserWindow
String ID: Static
API String ID: 2479445380-2272013587
Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9

Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298

Strings

, xrefs: 0040B22D

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@memcpymemmove
String ID:
API String ID: 3549172513-3916222277
Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D

Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
String ID:
API String ID: 846840743-0
Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD

Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
wsprintfW.USER32 ref: 004044A7

Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

#17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533

Strings

IA, xrefs: 0040447B
7zSfxFolder%02d, xrefs: 004044A1

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
String ID: 7zSfxFolder%02d$IA
API String ID: 3387708999-1317665167
Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58

Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59

Strings

IA, xrefs: 00409391
IA, xrefs: 00409225

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??2@
String ID: IA$IA
API String ID: 1033339047-1400641299
Opcode ID: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
Opcode Fuzzy Hash: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44

Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00410D0D

Strings

$KA, xrefs: 00410CF7
\KA, xrefs: 00410CE2
4KA, xrefs: 00410CF0
HKA, xrefs: 00410CE9

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: free
String ID: $KA$4KA$HKA$\KA
API String ID: 1294909896-3316857779
Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C

Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_EH_prolog.MSVCRT ref: 004096D0
??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941

Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B

Strings

HIA, xrefs: 0040978B

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??2@$H_prolog
String ID: HIA
API String ID: 3431946709-2712174624
Opcode ID: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
Opcode Fuzzy Hash: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54

Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
memcmp.MSVCRT(?,?,?), ref: 004028E4
memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: lstrlenmemcmp$memmove
String ID:
API String ID: 3251180759-0
Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55

Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570

Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
String ID:
API String ID: 359084233-0
Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E

Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89

Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,0000000D,?,00405D20,?,00417788,00417788), ref: 00404A5A
??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC

Strings

ExecuteFile, xrefs: 00404A48

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??2@
String ID: ExecuteFile
API String ID: 1033339047-323923146
Opcode ID: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
Opcode Fuzzy Hash: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D

Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??2@??3@memmove
String ID:
API String ID: 3828600508-0
Opcode ID: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
Opcode Fuzzy Hash: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A

Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E

Strings

@, xrefs: 00402471

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D

Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@$??2@ExceptionThrowmemmove
String ID:
API String ID: 4269121280-0
Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99

Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A634
??3@YAXPAX@Z.MSVCRT(?), ref: 0040A729

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@H_prolog
String ID:
API String ID: 1329742358-0
Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B

Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
Opcode Fuzzy Hash: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754

Function 004022B0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022C0
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022E4

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
Instruction ID: 09ebe67ff45b08f81c36141d9c2dc2e417a159b47c448e0a3757dda97e47d19e
Opcode Fuzzy Hash: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
Instruction Fuzzy Hash: 8CF030351046529FC330DF69C584853F7E4EB59715721887FE1D6D36A2C674A880CB64

Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64

Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0040ED05
_CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID:
API String ID: 3773818493-0
Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9

Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040E745
LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4

Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A7E3

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A

Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59

Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94

Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54

Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00406552

Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60

Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CC5E

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD

Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54

Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02

Function 0040D89F Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000060,?,?,00000000,?,0040D96E,00000000,?,00000000,00000000,000000FF,?,00000001,?,?,?), ref: 0040D91A

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 8955cc1b29c93d01701bbb2481471dd0eaf8a49c35f18cc8a7d41221c9f85a6f
Instruction ID: 1ceb60bf2594cd826c4dcd58ac8a3e75a9726935558582f6c117c88f0dd7e0c4
Opcode Fuzzy Hash: 8955cc1b29c93d01701bbb2481471dd0eaf8a49c35f18cc8a7d41221c9f85a6f
Instruction Fuzzy Hash: 4A219372A042858FCF30FF91D98096B77A5AF50358320853FE093732C1DA38AD49D75A

Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F446

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59

Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
Opcode Fuzzy Hash: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299

Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698

Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509

Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09

Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040F400

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
Instruction Fuzzy Hash:

Non-executed Functions

Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 004034E5
SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
_wtol.MSVCRT ref: 0040367F
CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6

Strings

.lnk, xrefs: 004036FF

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
String ID: .lnk
API String ID: 408529070-24824748
Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18

Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
wsprintfW.USER32 ref: 00401FFD
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
GetLastError.KERNEL32 ref: 00402017
??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
GetLastError.KERNEL32 ref: 0040204C
lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
SetLastError.KERNEL32(00000000), ref: 00402098
lstrlenA.KERNEL32(00413FD0), ref: 004020CC
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
_wtol.MSVCRT ref: 0040212A
MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A

Strings

7zSfxString%d, xrefs: 00401FF7
XpA, xrefs: 00401FB4
\3A, xrefs: 00401FDB

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
String ID: 7zSfxString%d$XpA$\3A
API String ID: 2117570002-3108448011
Opcode ID: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
Opcode Fuzzy Hash: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18

Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
LockResource.KERNEL32(00000000), ref: 00401C41
LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
GetProcAddress.KERNEL32(00000000), ref: 00401C76
wsprintfW.USER32 ref: 00401C95
LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
GetProcAddress.KERNEL32(00000000), ref: 00401CAD

Strings

%04X%c%04X%c, xrefs: 00401C8F
kernel32, xrefs: 00401C5D, 00401C62, 00401CA9
SetProcessPreferredUILanguages, xrefs: 00401C58
SetThreadPreferredUILanguages, xrefs: 00401CA4

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
API String ID: 2639302590-365843014
Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8

Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,00000000,?), ref: 0040779A
GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
Opcode Fuzzy Hash: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4

Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 1862581289-0
Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C

Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
GetWindow.USER32(?,00000005), ref: 00406D8F
GetWindow.USER32(00000000,00000002), ref: 00406DA5

Strings

SetWindowTheme, xrefs: 00406D70
uxtheme, xrefs: 00406D5E
\EA, xrefs: 00406D98

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$\EA$uxtheme
API String ID: 324724604-1613512829
Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC

Function 0041022D Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84

Function 0041206B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0

Function 00411F91 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0

Function 0040D72E Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50

Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
CloseHandle.KERNEL32(004177C4), ref: 00404C40
SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2

Strings

open, xrefs: 00404C63
:Repeat, xrefs: 00404B92
7ZSfx%03x.cmd, xrefs: 00404B58
if exist ", xrefs: 00404BC7
del ", xrefs: 00404B9F, 00404BA4, 00404BED
", xrefs: 00404BB9, 00404BBE, 00404C02
" goto Repeat, xrefs: 00404BE0

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3007203151-3467708659
Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58

Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF

Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119

_wtol.MSVCRT ref: 004047DC
_wtol.MSVCRT ref: 004047F8

Strings

CancelPrompt, xrefs: 00404831
GUIFlags, xrefs: 0040473E, 00404743, 0040475F
ExtractPathTitle, xrefs: 00404801
GUIMode, xrefs: 004046F4
ExtractPathWidth, xrefs: 004047E5
ErrorTitle, xrefs: 0040467F
ExtractPathText, xrefs: 00404819
WarningTitle, xrefs: 00404697
Title, xrefs: 00404611
|wA, xrefs: 0040464B
OverwriteMode, xrefs: 00404721
ExtractTitle, xrefs: 004046AF
Progress, xrefs: 004046C7
ExtractCancelText, xrefs: 004047A1
ExtractDialogWidth, xrefs: 004047BE
ExtractDialogText, xrefs: 004047AD
MiscFlags, xrefs: 00404771, 00404776, 00404792

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
API String ID: 2725485552-3187639848
Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D

Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
GetWindowLongW.USER32(?,000000F0), ref: 00402DF3

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
GetParent.USER32(?), ref: 00402E2E
LoadLibraryA.KERNEL32(riched20), ref: 00402E42
GetMenu.USER32(?), ref: 00402E55
SetThreadLocale.KERNEL32(00000419), ref: 00402E62
CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
DestroyWindow.USER32(?), ref: 00402EA3
SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
GetSysColor.USER32(0000000F), ref: 00402EBC
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02

Strings

{\rtf, xrefs: 00402E09
STATIC, xrefs: 00402DDD
RichEdit20W, xrefs: 00402E8C
riched20, xrefs: 00402E3D

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
String ID: RichEdit20W$STATIC$riched20${\rtf
API String ID: 1731037045-2281146334
Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68

Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 00401CD4
GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
GetObjectW.GDI32(?,00000018,?), ref: 00401D28
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
CreateCompatibleDC.GDI32(?), ref: 00401D4B
CreateCompatibleDC.GDI32(?), ref: 00401D52
SelectObject.GDI32(00000000,?), ref: 00401D60
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
SelectObject.GDI32(00000000,00000000), ref: 00401D76
SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
SelectObject.GDI32(00000000,?), ref: 00401DB3
SelectObject.GDI32(00000000,?), ref: 00401DB9
DeleteDC.GDI32(00000000), ref: 00401DC2
DeleteDC.GDI32(00000000), ref: 00401DC5
ReleaseDC.USER32(00000000,?), ref: 00401DCC
ReleaseDC.USER32(00000000,?), ref: 00401DDB
CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
String ID:
API String ID: 3462224810-0
Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64

Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00401E05
lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
GetMenu.USER32(?), ref: 00401E44

Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41

GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
CoInitialize.OLE32(00000000), ref: 00401E8C
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
GlobalFree.KERNEL32(00000000), ref: 00401ECD

Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC

GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
GlobalFree.KERNEL32(00000000), ref: 00401F3A

Strings

IMAGES, xrefs: 00401E4E
STATIC, xrefs: 00401E13

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
String ID: IMAGES$STATIC
API String ID: 4202116410-1168396491
Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68

Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetDlgItem.USER32(?,000004B8), ref: 0040816A
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
GetDlgItem.USER32(?,000004B5), ref: 004081C0
GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
GetDlgItem.USER32(?,000004B5), ref: 004081D5
SetWindowLongW.USER32(00000000), ref: 004081D8
GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
GetDlgItem.USER32(?,000004B4), ref: 0040821A
SetFocus.USER32(00000000), ref: 0040821D
SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
GetDlgItem.USER32(?,00000002), ref: 00408294
IsWindow.USER32(00000000), ref: 00408297
GetDlgItem.USER32(?,00000002), ref: 004082A7
EnableWindow.USER32(00000000), ref: 004082AA
GetDlgItem.USER32(?,000004B5), ref: 004082BE
ShowWindow.USER32(00000000), ref: 004082C1

Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142

Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID:
API String ID: 855516470-0
Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C

Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
strncmp.MSVCRT ref: 004031F1
??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347

Strings

{\rtf, xrefs: 004031D6, 004031EB
SetEnvironment, xrefs: 0040326B
GUIFlags, xrefs: 004032B2
hAA, xrefs: 0040309E
MiscFlags, xrefs: 004032C0

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@$lstrcmpstrncmp
String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
API String ID: 2881732429-172299233
Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59

Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 00406A69
GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
GetDlgItem.USER32(?,000004B4), ref: 00406AA5
GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
GetSystemMetrics.USER32(00000010), ref: 00406B0B
GetSystemMetrics.USER32(00000011), ref: 00406B11
GetSystemMetrics.USER32(00000008), ref: 00406B18
GetSystemMetrics.USER32(00000007), ref: 00406B1F
GetParent.USER32(?), ref: 00406B43
GetClientRect.USER32(00000000,?), ref: 00406B55
ClientToScreen.USER32(?,?), ref: 00406B68
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
GetClientRect.USER32(?,?), ref: 00406C55
ClientToScreen.USER32(?,?), ref: 00406B71

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

GetSystemMetrics.USER32(00000008), ref: 00406CD6
GetSystemMetrics.USER32(00000007), ref: 00406CDD

Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
String ID:
API String ID: 747815384-0
Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64

Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
LoadIconW.USER32(00000000), ref: 00407D33
GetSystemMetrics.USER32(00000032), ref: 00407D43
GetSystemMetrics.USER32(00000031), ref: 00407D48
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
LoadImageW.USER32(00000000), ref: 00407D54
SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
GetWindow.USER32(?,00000005), ref: 00407E76
GetWindow.USER32(?,00000005), ref: 00407E92
GetWindow.USER32(?,00000005), ref: 00407EAA
GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
LoadIconW.USER32(00000000), ref: 00407F0D
GetDlgItem.USER32(?,000004B1), ref: 00407F28
SendMessageW.USER32(00000000), ref: 00407F2F

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
String ID:
API String ID: 1889686859-0
Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF

Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00406F45
GetWindowLongW.USER32(00000000), ref: 00406F4C
DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
GetSystemMetrics.USER32(00000031), ref: 00406F91
GetSystemMetrics.USER32(00000032), ref: 00406F98
GetWindowDC.USER32(?), ref: 00406FAA
GetWindowRect.USER32(?,?), ref: 00406FB7
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
ReleaseDC.USER32(?,00000000), ref: 00406FF3

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
String ID:
API String ID: 2586545124-0
Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64

Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004B3), ref: 0040678E
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
GetDlgItem.USER32(?,000004B4), ref: 004067AB
SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
GetDlgItem.USER32(?,?), ref: 004067CC
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
GetDlgItem.USER32(?,?), ref: 004067DD
SetFocus.USER32(00000000,?,000004B4,74DF0E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ItemMessageSend$Focus
String ID:
API String ID: 3946207451-0
Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28

Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603

Strings

IA, xrefs: 0040C4C6
IA, xrefs: 0040C4AF
IA, xrefs: 0040C66E
IA, xrefs: 0040C4D9
IA, xrefs: 0040C74D
IA, xrefs: 0040C65E

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@
String ID: IA$IA$IA$IA$IA$IA
API String ID: 613200358-3743982587
Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58

Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479

Strings

HelpText, xrefs: 00408598
FinishMessage, xrefs: 00408417, 00408433
SetEnvironment, xrefs: 004083BC
ErrorTitle, xrefs: 00408511
BeginPrompt, xrefs: 004084A4, 004084A9
WarningTitle, xrefs: 0040853A

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@
String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
API String ID: 613200358-994561823
Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E

Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
GetDC.USER32(00000000), ref: 00406DFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
ReleaseDC.USER32(00000000,?), ref: 00406E24
GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 2693764856-0
Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65

Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0040696E
GetSystemMetrics.USER32(0000000B), ref: 0040698A
GetSystemMetrics.USER32(0000003D), ref: 00406993
GetSystemMetrics.USER32(0000003E), ref: 0040699B
SelectObject.GDI32(?,?), ref: 004069B8
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
SelectObject.GDI32(?,?), ref: 004069F9
ReleaseDC.USER32(?,?), ref: 00406A08

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40

Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
GetDlgItem.USER32(?,000004B8), ref: 00407B8B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
wsprintfW.USER32 ref: 00407BBB
??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53

Strings

%d%%, xrefs: 00407BB5

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %d%%
API String ID: 3753976982-1518462796
Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59

Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4

Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175

Strings

hAA, xrefs: 00404091, 0040409B, 004040A2, 004040B0

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@$CharUpper$lstrlen
String ID: hAA
API String ID: 2587799592-1362906312
Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658

Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8

Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D

Strings

;!@Install@!UTF-8!, xrefs: 00404D59
;!@InstallEnd@!, xrefs: 00404D73
03A, xrefs: 00404CCF

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@$FileTime$AttributesSystemlstrlen
String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 4038993085-2279431206
Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98

Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00407579
KillTimer.USER32(?,00000001), ref: 0040758A
SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
SuspendThread.KERNEL32(00000298), ref: 004075CD
ResumeThread.KERNEL32(00000298), ref: 004075EA
EndDialog.USER32(?,00000000), ref: 0040760C

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: DialogThreadTimer$KillResumeSuspend
String ID:
API String ID: 4151135813-0
Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D

Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85

Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6

??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
wsprintfA.USER32 ref: 00404EBC

Strings

;!@Install@!UTF-8!, xrefs: 00404E4A
;!@InstallEnd@!, xrefs: 00404E59
:Language:%u!, xrefs: 00404EB6

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@$wsprintf
String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2704270482-1550708412
Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799

Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932

Strings

%%T\, xrefs: 004038A6
%%T/, xrefs: 004038E4

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@
String ID: %%T/$%%T\
API String ID: 613200358-2679640699
Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98

Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED

Strings

%%S\, xrefs: 00403961
%%S/, xrefs: 0040399F

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@
String ID: %%S/$%%S\
API String ID: 613200358-358529586
Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98

Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8

Strings

%%M/, xrefs: 00403A5A
%%M\, xrefs: 00403A1C

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@
String ID: %%M/$%%M\
API String ID: 613200358-4143866494
Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58

Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE

Strings

TJA, xrefs: 0040E4A1
$JA, xrefs: 0040E4B6
hJA, xrefs: 0040E49A
4JA, xrefs: 0040E4AF
DJA, xrefs: 0040E4A8
xJA, xrefs: 0040E493

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ExceptionThrow
String ID: $JA$4JA$DJA$TJA$hJA$xJA
API String ID: 432778473-803145960
Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C

Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B

??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D

Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00

??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245

Strings

IA, xrefs: 0040C0EC
IA, xrefs: 0040C11B
IA, xrefs: 0040C12D

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??2@$??3@$memmove
String ID: IA$IA$IA
API String ID: 4294387087-924693538
Opcode ID: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
Opcode Fuzzy Hash: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54

Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898

Strings

IA, xrefs: 0040E818, 0040E841

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID: IA
API String ID: 3462485524-3293647318
Opcode ID: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
Opcode Fuzzy Hash: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00401029
wsprintfW.USER32 ref: 00401049
lstrcatW.KERNEL32(?,?), ref: 0040105C
ExitProcess.KERNEL32 ref: 00401084

Strings

0x%p, xrefs: 00401043

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: wsprintf$ExitProcesslstrcat
String ID: 0x%p
API String ID: 2530384128-1745605757
Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA

Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9

GetSystemMetrics.USER32(00000007), ref: 00407A51
GetSystemMetrics.USER32(00000007), ref: 00407A62
??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29

Strings

100%% , xrefs: 00407A81, 00407A88, 00407AE1

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: MetricsSystem$??3@
String ID: 100%%
API String ID: 2562992111-568723177
Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99

Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00407A12

Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B

GetDlgItem.USER32(?,000004B3), ref: 004079C6

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4

Strings

(%u%s), xrefs: 00407A0C

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: TextWindow$ItemLength$??3@wsprintf
String ID: (%u%s)
API String ID: 3595513934-2496177969
Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68

Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
GetProcAddress.KERNEL32(00000000), ref: 00402211

Strings

kernel32, xrefs: 00402205
GetNativeSystemInfo, xrefs: 00402200

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 2574300362-3846845290
Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE

Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
GetProcAddress.KERNEL32(00000000), ref: 0040219F

Strings

Wow64RevertWow64FsRedirection, xrefs: 0040218E
kernel32, xrefs: 00402193

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 2574300362-3900151262
Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C

Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
GetProcAddress.KERNEL32(00000000), ref: 004021D1

Strings

Wow64DisableWow64FsRedirection, xrefs: 004021C0
kernel32, xrefs: 004021C5

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 2574300362-736604160
Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC

Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F

Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@$ByteCharMultiWide
String ID:
API String ID: 1731127917-0
Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658

Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
wsprintfW.USER32 ref: 00403FFB
GetFileAttributesW.KERNEL32(?), ref: 00404016

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: PathTemp$AttributesFilewsprintf
String ID:
API String ID: 1746483863-0
Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88

Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64

Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B

Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
GetDlgItem.USER32(?,000004B7), ref: 00408020
SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E

Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
String ID:
API String ID: 2538916108-0
Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54

Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
GetSystemMetrics.USER32(00000031), ref: 0040683A
CreateFontIndirectW.GDI32(?), ref: 00406849
DeleteObject.GDI32(00000000), ref: 00406878

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54

Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040749F
SHBrowseForFolderW.SHELL32(?), ref: 004074B8
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
SHGetMalloc.SHELL32(00000000), ref: 004074FE

Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: BrowseFocusFolderFromItemListMallocPathmemset
String ID:
API String ID: 1557639607-0
Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75

Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801

Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171

ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@$EnvironmentExpandStrings$??2@
String ID:
API String ID: 612612615-0
Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8

Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB

??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
SetWindowTextW.USER32(?,?), ref: 00403B12
??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ??3@TextWindow$Length
String ID:
API String ID: 2308334395-0
Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98

Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00407045
CreateFontIndirectW.GDI32(?), ref: 0040705B
GetDlgItem.USER32(?,000004B5), ref: 0040706F
SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: CreateFontIndirectItemMessageObjectSend
String ID:
API String ID: 2001801573-0
Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19

Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00401BA8
GetWindowRect.USER32(?,?), ref: 00401BC1
ScreenToClient.USER32(00000000,?), ref: 00401BCF
ScreenToClient.USER32(00000000,?), ref: 00401BD6

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61

Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_wtol.MSVCRT ref: 00403C89

Strings

GUIFlags, xrefs: 00403C68
[G@, xrefs: 00403C64, 00403C88

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: _wtol
String ID: GUIFlags$[G@
API String ID: 2131799477-2126219683
Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D

Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52

Strings

?O@, xrefs: 00402F23

Memory Dump Source

Source File: 00000000.00000002.1769554964.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1769438589.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769595618.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769615201.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_epht1Y3TGZ.jbxd

Similarity

API ID: EnvironmentVariable
String ID: ?O@
API String ID: 1431749950-3511380453
Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

Analysis Process: DZIPR.exePID: 6864, Parent PID: 6640COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.6%
Total number of Nodes:	1730
Total number of Limit Nodes:	25

Executed Functions

Function 6CC863F0 Relevance: 4.7, APIs: 3, Instructions: 239
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6CC86602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6CC8663B
VirtualProtect.KERNELBASE(?,?,?,00000000,?), ref: 6CC86654

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 022c86efc9e4b61c5089885ec19a68f7057a8831831274c9067a319cf350a39b
Instruction ID: bb605f7a66ae4c177bd7781fc56165d73ce3324bc8f11d0dcb51061565b7a3a4
Opcode Fuzzy Hash: 022c86efc9e4b61c5089885ec19a68f7057a8831831274c9067a319cf350a39b
Instruction Fuzzy Hash: 73A1DC31609B568FC315CF29C88062BFBE2BFC9308F19896DE89597746E731E941CB81

Function 6CC85CA0 Relevance: 3.4, APIs: 2, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: LibraryLoad_memset
String ID:
API String ID: 2997193564-0
Opcode ID: 7a778e247d2c852cedac3806965fa8aa0bd16e7844337abd5d47c5537c882089
Instruction ID: 3edda75ec5ffdfd0c77493bdcacedeeeb5e772a1828b32ad26bb9b0f24541f45
Opcode Fuzzy Hash: 7a778e247d2c852cedac3806965fa8aa0bd16e7844337abd5d47c5537c882089
Instruction Fuzzy Hash: 6CE167B0A097068FC714CF5AC48062BFBF5BF88308F55892DE89A87751E770E855CB95

Function 6CC85E70 Relevance: 1.5, APIs: 1, Instructions: 248
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000000,007F50EB), ref: 6CC85ECA

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 5223b06925a14f693ffc34b6b1dd8109b11025c9336ea1af97f8a96fd8a022b0
Instruction ID: 49659ecf52b173314569e4d74ac83e46ce67d2189f674a98c1fddb958497d585
Opcode Fuzzy Hash: 5223b06925a14f693ffc34b6b1dd8109b11025c9336ea1af97f8a96fd8a022b0
Instruction Fuzzy Hash: F3A1BE706097068FD708CF29C49062BBBF2BF89308F14852DE89687356E770E852CB95

Function 6CC8BC4E Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(6CCB32EC,?,?,?,6CCB32D0,6CCB32D0,?,6CC8C0A4,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?,?,?), ref: 6CC8BC61
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,6CCB32D0,6CCB32D0,?,6CC8C0A4,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?,?,?), ref: 6CC8BCB7
GlobalHandle.KERNEL32(00E3A068), ref: 6CC8BCC0
GlobalUnlock.KERNEL32(00000000), ref: 6CC8BCCA
GlobalReAlloc.KERNEL32(6CCAC168,00000000,00002002), ref: 6CC8BCE3
GlobalHandle.KERNEL32(00E3A068), ref: 6CC8BCF5
GlobalLock.KERNEL32(00000000), ref: 6CC8BCFC
LeaveCriticalSection.KERNEL32(?,?,?,6CCB32D0,6CCB32D0,?,6CC8C0A4,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?), ref: 6CC8BD05
GlobalLock.KERNEL32(00000000), ref: 6CC8BD11
_memset.LIBCMT ref: 6CC8BD2B
LeaveCriticalSection.KERNEL32(?,?), ref: 6CC8BD59

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 16aa60baebc62cfbe2b4c06157503d1dea75819049362a1dff3047c85be55373
Instruction ID: ef54a676f88a8b98fe9f3951c109beaafe763db11c11aac648675396cb0253c7
Opcode Fuzzy Hash: 16aa60baebc62cfbe2b4c06157503d1dea75819049362a1dff3047c85be55373
Instruction Fuzzy Hash: C031B271A01744AFDB208FA4CC4DE5FBBF9FF44309B14496AE656D7A50EB30E8448B90

Function 6CC864E0 Relevance: 4.7, APIs: 3, Instructions: 151
librarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6CC86602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6CC8663B

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: LibraryLoadProtectVirtual
String ID:
API String ID: 3279857687-0
Opcode ID: dcc6f817535b11e61b601f9286e0792e74e54a8693b99319e6a4c700245cb1fb
Instruction ID: b9f63e28e938707487a76f938606bd9258de213334adeb04823e09c714395cd6
Opcode Fuzzy Hash: dcc6f817535b11e61b601f9286e0792e74e54a8693b99319e6a4c700245cb1fb
Instruction Fuzzy Hash: DC5110316097558FC710CF28C88062BFBF6BFC9308F19896DE88587356E631E906CB85

Function 6CC86750 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6CCAC168), ref: 6CC86300

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4085b330d581c379e13af0e5fd3b8aa482a6f546bb550483511ceadd6e3399c6
Instruction ID: d28bcdf14701bfacf2f476a43c74a83f4c078f3f6fe56fde13a362f1c9b6c5a3
Opcode Fuzzy Hash: 4085b330d581c379e13af0e5fd3b8aa482a6f546bb550483511ceadd6e3399c6
Instruction Fuzzy Hash: 1941BF31A0AB058FC714CF19C88066BBBF6FBC5318F19896CE889D7716E631F8558B81

Function 6CC862D0 Relevance: 1.6, APIs: 1, Instructions: 97
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6CCAC168), ref: 6CC86300

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a157ee528788153a6790b00a7c0e947df397d8f38c69ba32e1c7448e350a0560
Instruction ID: fb548d08418a3cdbb4a2d71f0019cee75bdda0ad7ffc94734c6c4b11731ec83d
Opcode Fuzzy Hash: a157ee528788153a6790b00a7c0e947df397d8f38c69ba32e1c7448e350a0560
Instruction Fuzzy Hash: DD31BF31A1AB058FC715CF19C88066BBBF2BFC4318F19896CE89697316E631F855CB81

Function 6CC8C050 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6CC8C057

Part of subcall function 6CC86DC1: __CxxThrowException@8.LIBCMT ref: 6CC86DD7
Part of subcall function 6CC86DC1: __EH_prolog3.LIBCMT ref: 6CC86DE4

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: 28f188d1e8c941115d27b4c1207b7f4fabe5507d2fe7a8146843beafd0387557
Instruction ID: 899cfb29417020f3f3e8a999f4b6a6247a620eab421a1191142aa0b3340a35d8
Opcode Fuzzy Hash: 28f188d1e8c941115d27b4c1207b7f4fabe5507d2fe7a8146843beafd0387557
Instruction Fuzzy Hash: BA017130602A03CBDB19AFB5C82069F7AB1AB8139DF14862DD452C7B90FF31C946CB51

Function 6CC860F0 Relevance: 1.5, APIs: 1, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000004,00000080,00000000), ref: 6CC860F6

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 44560c934a96525291fab0bc77122d41bf765f05b295d5faa0501a0cee3f2b37
Instruction ID: 35c4fa2897f4bcd771e1b10d953c9067bfa98cb6c5190baeb95f530f63e013d9
Opcode Fuzzy Hash: 44560c934a96525291fab0bc77122d41bf765f05b295d5faa0501a0cee3f2b37
Instruction Fuzzy Hash: B501E8B1A087019FC718CF4EC89090ABBF6FFC8308F16852DA84897316D630E851CF89

Function 6CC9A6F4 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6CC94776,00000001,?,?,?,6CC948EF,?,?,?,6CCAE848,0000000C,6CC949AA), ref: 6CC9A709

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 700f95b89151f49afe9c6ac744b96a4f1f2162ffcd64eee86b73efebefb76563
Instruction ID: 121c3ae5ae1982bb414a31bd2289efaffa4a4cd1293d1d5efc342065dca92819
Opcode Fuzzy Hash: 700f95b89151f49afe9c6ac744b96a4f1f2162ffcd64eee86b73efebefb76563
Instruction Fuzzy Hash: 03D05E76B543859ADB009EB2AC09B673BFC9385796F148436F80CC7580F570C590DA08

Non-executed Functions

Function 6CC8748E Relevance: 12.1, APIs: 8, Instructions: 126filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CC87498
GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,6CC876D5,?,00000000,?,00000000,00000104,00000000,?,6CCABEF4,00000000), ref: 6CC874D6

Part of subcall function 6CC86DC1: __CxxThrowException@8.LIBCMT ref: 6CC86DD7
Part of subcall function 6CC86DC1: __EH_prolog3.LIBCMT ref: 6CC86DE4

PathIsUNCW.SHLWAPI(?,00000000,?), ref: 6CC87546
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6CC8756D
CharUpperW.USER32(00000000), ref: 6CC875A0
FindFirstFileW.KERNEL32(?,?), ref: 6CC875BC
FindClose.KERNEL32(00000000), ref: 6CC875C8
lstrlenW.KERNEL32(?), ref: 6CC875E6

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: a54a6eb218543f1a996458eee6a3895bafafc6ee010ea6da93e5e3325a198c66
Instruction ID: 64f5b4a3b92f3cd5b416734e12f20c998d1a6438dd7dfcbd398b834d22d74c79
Opcode Fuzzy Hash: a54a6eb218543f1a996458eee6a3895bafafc6ee010ea6da93e5e3325a198c66
Instruction Fuzzy Hash: B8419F70A066159BDF159BA4CC9CBEF7E78AF0131CF140399B81992991FB358A88DF20

Function 6CC93F34 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6CC97C6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CC97C81
UnhandledExceptionFilter.KERNEL32(6CCAA4B8), ref: 6CC97C8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6CC97CA8
TerminateProcess.KERNEL32(00000000), ref: 6CC97CAF

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f86bdf4831beff3318b1a68f03d9a8ac644f9e29bfdb6042cc61a1a137543f64
Instruction ID: 4c2e6fc2bc1bda25b36034e2aff73e1e849b77eee354273227ad223ed281123e
Opcode Fuzzy Hash: f86bdf4831beff3318b1a68f03d9a8ac644f9e29bfdb6042cc61a1a137543f64
Instruction Fuzzy Hash: 1721F3B9A03B05DFDF81DFE9D449A493BB4FB0A304F50411AE4089B750E7709585CF4A

Function 6CC889B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 6CC889FC
__snwprintf_s.LIBCMT ref: 6CC88A2E
LoadLibraryW.KERNEL32(?), ref: 6CC88A69

Part of subcall function 6CC95348: __getptd_noexit.LIBCMT ref: 6CC95348

Strings

LOC, xrefs: 6CC889DC

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
String ID: LOC
API String ID: 3175857669-519433814
Opcode ID: afad129d8913dfde9679c0689c2f38b67977e475c4f7f7e7ffd90a4c3f75576c
Instruction ID: d9910ab6b7f9e6c5d6f61276b84d9169cba14d6a854904b32bae12549073d7cb
Opcode Fuzzy Hash: afad129d8913dfde9679c0689c2f38b67977e475c4f7f7e7ffd90a4c3f75576c
Instruction Fuzzy Hash: 2211DA71A41308ABDB10ABA4CC48FEF7BBCBB0235DF100666A114E79C0FB749948D761

Function 6CC904EE Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CC92C57: GetWindowLongW.USER32(?,000000F0), ref: 6CC92C62

GetKeyState.USER32(00000010), ref: 6CC90514
GetKeyState.USER32(00000011), ref: 6CC9051D
GetKeyState.USER32(00000012), ref: 6CC90526
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6CC9053C

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 4a141e7e9e77caedf541458991b5c2cc5e55811592f1ea8358f2d3cd5deb4373
Instruction ID: ca5d26576b2b730db59775574af476e987d7cac4abfb360113db078ad1b1495e
Opcode Fuzzy Hash: 4a141e7e9e77caedf541458991b5c2cc5e55811592f1ea8358f2d3cd5deb4373
Instruction Fuzzy Hash: 56F02E357423CFA6FA1021B54C05FFD19365F89FD8F0000316645EB9E0EFA0C8466574

Function 6CC8DE29 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2e96e3173c8766d23888731ef280116773cc7eb4125694070aeb27c4401a57
Instruction ID: 1d9b83d743fc5fb33efb33edf76a85590d1503880e07dfe27a8db75ab6452173
Opcode Fuzzy Hash: 4f2e96e3173c8766d23888731ef280116773cc7eb4125694070aeb27c4401a57
Instruction Fuzzy Hash: 6BF0193164324ABBDF029FA5C808A9F7F79BB1234DF408022F929D5410EB30DA54DB60

Function 6CC85D78 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369e71457e2037c2055dde8a5669f1ed74740de1c581bed3f97036c0d9e125b2
Instruction ID: 4d3792afeb0b23d1b433a625972f3485241c6085592560e88f30bda9bd2f7614
Opcode Fuzzy Hash: 369e71457e2037c2055dde8a5669f1ed74740de1c581bed3f97036c0d9e125b2
Instruction Fuzzy Hash: B331A876A0A3058BDB24CF49C58062BBBF2FBC8708F56886DDC8957701EB70E841CB91

Function 6CC88BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CC88BE9
GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6CC88EB7,?,?), ref: 6CC88C19
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6CC88C2D
ConvertDefaultLocale.KERNEL32(?), ref: 6CC88C69
ConvertDefaultLocale.KERNEL32(?), ref: 6CC88C77
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6CC88C94
ConvertDefaultLocale.KERNEL32(?), ref: 6CC88CBF
ConvertDefaultLocale.KERNEL32(000003FF), ref: 6CC88CC8
GetModuleHandleW.KERNEL32(ntdll.dll), ref: 6CC88CE1
EnumResourceLanguagesW.KERNEL32(00000000,00000010,00000001,Function_000084C0,?), ref: 6CC88CFE
ConvertDefaultLocale.KERNEL32(?), ref: 6CC88D31
ConvertDefaultLocale.KERNEL32(00000000), ref: 6CC88D3A
GetModuleFileNameW.KERNEL32(6CC80000,?,00000105), ref: 6CC88D7F
_memset.LIBCMT ref: 6CC88D9F

Strings

GetSystemDefaultUILanguage, xrefs: 6CC88C79
kernel32.dll, xrefs: 6CC88C02
GetUserDefaultUILanguage, xrefs: 6CC88C21
ntdll.dll, xrefs: 6CC88CDC

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 177d14b5b98ea0355a26e5eadb01e39b491163190ae0339e3b79df15dd5fae51
Instruction ID: 78a7bd42eb955ec520c3616a5ed9bfb276236eb27f27e7fe9b53a99ad7b5ce5e
Opcode Fuzzy Hash: 177d14b5b98ea0355a26e5eadb01e39b491163190ae0339e3b79df15dd5fae51
Instruction Fuzzy Hash: 2E513F75D02229ABCB60DFA59C8CBAEBAB4EB58308F1001D79448E7680E7749E81CF54

Function 6CC8DCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(USER32,00000000,00000000,75C04A40,6CC8DE36,?,?,?,?,?,?,?,6CC8FCC6,00000000,00000002,00000028), ref: 6CC8DCF9
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 6CC8DD15
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6CC8DD2A
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 6CC8DD3B
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 6CC8DD4C
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 6CC8DD5D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 6CC8DD6E
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 6CC8DD8E

Strings

USER32, xrefs: 6CC8DCEF
EnumDisplayDevicesW, xrefs: 6CC8DD68
MonitorFromRect, xrefs: 6CC8DD35
MonitorFromPoint, xrefs: 6CC8DD46
MonitorFromWindow, xrefs: 6CC8DD24
GetMonitorInfoW, xrefs: 6CC8DD81
GetSystemMetrics, xrefs: 6CC8DD0F
EnumDisplayMonitors, xrefs: 6CC8DD57
GetMonitorInfoA, xrefs: 6CC8DD88

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2451437823
Opcode ID: 71150c67525566b3aca692cc8d60c7c4c040b728c2d21b19ee41786b3d08ace4
Instruction ID: 07552cbd4adce126e1fe28f4d835e9a7761f9baaebf023d60f528e85d45db96c
Opcode Fuzzy Hash: 71150c67525566b3aca692cc8d60c7c4c040b728c2d21b19ee41786b3d08ace4
Instruction Fuzzy Hash: AE211A71A1A163AFCF02EFEA88C942B7FF4B68B659321897FD105D3904E37140828B24

Function 6CC919AE Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CC919B8

Part of subcall function 6CC8C050: __EH_prolog3.LIBCMT ref: 6CC8C057

CallNextHookEx.USER32(?,?,?,?), ref: 6CC919F8

Part of subcall function 6CC86DC1: __CxxThrowException@8.LIBCMT ref: 6CC86DD7
Part of subcall function 6CC86DC1: __EH_prolog3.LIBCMT ref: 6CC86DE4

_memset.LIBCMT ref: 6CC91A51
GetClassLongW.USER32(?,000000E0), ref: 6CC91A85
SetWindowLongW.USER32(?,000000FC,Function_00010D95), ref: 6CC91ADA
GetClassNameW.USER32(?,?,00000100), ref: 6CC91B20
GetWindowLongW.USER32(?,000000FC), ref: 6CC91B46
GetPropW.USER32(?,AfxOldWndProc423), ref: 6CC91B5D
SetPropW.USER32(?,AfxOldWndProc423,?), ref: 6CC91B6F
GetPropW.USER32(?,AfxOldWndProc423), ref: 6CC91B77
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 6CC91B86
SetWindowLongW.USER32(?,000000FC,Function_00011861), ref: 6CC91B94
CallNextHookEx.USER32(?,00000003,?,?), ref: 6CC91BA6
UnhookWindowsHookEx.USER32(?), ref: 6CC91BBA

Strings

#32768, xrefs: 6CC91A63, 6CC91A68, 6CC91B36
AfxOldWndProc423, xrefs: 6CC91B56, 6CC91B5B, 6CC91B6D, 6CC91B75, 6CC91B85

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: Long$HookPropWindow$CallClassH_prolog3Next$AtomException@8GlobalH_prolog3_NameThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423
API String ID: 4265692241-2141921550
Opcode ID: 244a3e1ae7e0b1154b915765b5df46cbae7c6b24b087718e6739ceec6c413f2d
Instruction ID: 75e8ef080db4b111e04ff6e26c71e465f6ff9052f66bdd77aa010089df6b5587
Opcode Fuzzy Hash: 244a3e1ae7e0b1154b915765b5df46cbae7c6b24b087718e6739ceec6c413f2d
Instruction Fuzzy Hash: 1951B675541225ABCB11AB65CC4DFDE7BB9BF05359F100285F419E7A90FB34CA81CBA0

Function 6CC8FBD6 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CC92C57: GetWindowLongW.USER32(?,000000F0), ref: 6CC92C62

GetParent.USER32(?), ref: 6CC8FC05
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6CC8FC28
GetWindowRect.USER32(?,?), ref: 6CC8FC42
GetWindowLongW.USER32(00000000,000000F0), ref: 6CC8FC58
CopyRect.USER32(?,?), ref: 6CC8FCA5
CopyRect.USER32(?,?), ref: 6CC8FCAF
GetWindowRect.USER32(00000000,?), ref: 6CC8FCB8

Part of subcall function 6CC8DE96: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6CC8DED6

CopyRect.USER32(?,?), ref: 6CC8FCD4

Strings

(, xrefs: 6CC8FC6E

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: Rect$Window$Copy$Long$ByteCharMessageMultiParentSendWide
String ID: (
API String ID: 1385303425-3887548279
Opcode ID: 1b4fcc808f835d3131fe30488b8014338992c1f0e20b4bfdba47911ae015867e
Instruction ID: 1617638af14843fc0096d5aea7c8eabdddebf7e5947d282477503c2ef4e7c029
Opcode Fuzzy Hash: 1b4fcc808f835d3131fe30488b8014338992c1f0e20b4bfdba47911ae015867e
Instruction Fuzzy Hash: 90514072A02519AFDB10CFA8CD88EEFBBB9BF48358F154116E915F3640E730E9458B60

Function 6CC9A11F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6CCAE928,0000000C,6CC9A25A,00000000,00000000,?,6CC86905,6CCAC168,?,?,6CC93DB8,6CCAC168,?,?,?), ref: 6CC9A131
__crt_waiting_on_module_handle.LIBCMT ref: 6CC9A13C

Part of subcall function 6CC95BCF: Sleep.KERNEL32(000003E8,6CCAC168,?,6CC9A082,KERNEL32.DLL,?,6CC9C09E,?,6CC94AB7,6CCAC168,?,?,6CC86905,6CCAC168,?), ref: 6CC95BDB
Part of subcall function 6CC95BCF: GetModuleHandleW.KERNEL32(6CCAC168,?,6CC9A082,KERNEL32.DLL,?,6CC9C09E,?,6CC94AB7,6CCAC168,?,?,6CC86905,6CCAC168,?,?,6CC93DB8), ref: 6CC95BE4

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6CC9A165
GetProcAddress.KERNEL32(00000003,DecodePointer), ref: 6CC9A175
__lock.LIBCMT ref: 6CC9A197
InterlockedIncrement.KERNEL32(6CCAD544), ref: 6CC9A1A4
__lock.LIBCMT ref: 6CC9A1B8
___addlocaleref.LIBCMT ref: 6CC9A1D6

Strings

EncodePointer, xrefs: 6CC9A159
KERNEL32.DLL, xrefs: 6CC9A12B, 6CC9A130, 6CC9A13B
DecodePointer, xrefs: 6CC9A16D

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: bcba46142e33cd0b0dde0f3e4e3f24f29f10e7df5e74d0e073726c7f07e4874d
Instruction ID: 307134edad2864527354a7758a30f915bb1910e9b699268a37fd9fc5d0be3d36
Opcode Fuzzy Hash: bcba46142e33cd0b0dde0f3e4e3f24f29f10e7df5e74d0e073726c7f07e4874d
Instruction Fuzzy Hash: 70118E71900702DFD7208FB9C808B9ABBF0AF85318F108919E49AD3F90EB349A45CF54

Function 6CC884DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32), ref: 6CC88503
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6CC88520
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 6CC8852D
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 6CC8853A
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 6CC88547

Strings

CreateActCtxW, xrefs: 6CC8851A
ReleaseActCtx, xrefs: 6CC88522
ActivateActCtx, xrefs: 6CC8852F
KERNEL32, xrefs: 6CC884FE
DeactivateActCtx, xrefs: 6CC8853C

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-2424895508
Opcode ID: 8c9638e248e532642d5e201b8daa25b99a80c296206b13c84c4a2ac2b8a0acd4
Instruction ID: 08742cd2cd9050722fdc2deaabb3fed63d7f9650a59b96798f0f6738d22ad6ad
Opcode Fuzzy Hash: 8c9638e248e532642d5e201b8daa25b99a80c296206b13c84c4a2ac2b8a0acd4
Instruction Fuzzy Hash: 2B1128B1A06692AFDF109FE6988DC07BFB4EA4631C31D453FE10593A41FA305441CA1A

Function 6CC8A59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32,6CC8A6B6), ref: 6CC8A5AA
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6CC8A5CB
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6CC8A5DD
GetProcAddress.KERNEL32(ActivateActCtx), ref: 6CC8A5EF
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6CC8A601

Part of subcall function 6CC86DC1: __CxxThrowException@8.LIBCMT ref: 6CC86DD7
Part of subcall function 6CC86DC1: __EH_prolog3.LIBCMT ref: 6CC86DE4

Strings

CreateActCtxW, xrefs: 6CC8A5C5
ReleaseActCtx, xrefs: 6CC8A5CD
ActivateActCtx, xrefs: 6CC8A5DF
KERNEL32, xrefs: 6CC8A5A5
DeactivateActCtx, xrefs: 6CC8A5F1

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 417325364-2424895508
Opcode ID: 4f99f56e13ad3dee668b87bcf286bd0c32f014169a58252065465239db622ad9
Instruction ID: 5060a682f56e08fc9ca826637cc7b4187fbc6ac01b9630dc7315ec55f200570f
Opcode Fuzzy Hash: 4f99f56e13ad3dee668b87bcf286bd0c32f014169a58252065465239db622ad9
Instruction Fuzzy Hash: C9F07474A06A67ABCF415BF298089467EB8A706358709491BA900A3752FB7480498F4A

Function 6CC8C8E2 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6CC8C91F
PathFindExtensionW.SHLWAPI(?), ref: 6CC8C939
__wcsdup.LIBCMT ref: 6CC8C983
__wcsdup.LIBCMT ref: 6CC8C9C2
__wcsdup.LIBCMT ref: 6CC8CA14
__wcsdup.LIBCMT ref: 6CC8CA55

Strings

.HLP, xrefs: 6CC8C9F9
.INI, xrefs: 6CC8CA36
.CHM, xrefs: 6CC8C9F2

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: __wcsdup$ExtensionFileFindModuleNamePath
String ID: .CHM$.HLP$.INI
API String ID: 2477486372-4017452060
Opcode ID: 9d0be604d9a05b5e12ee9fdec4905a051ecea1a24c79d771e0a47e0b5c72b692
Instruction ID: 5a4cab01d0a3f644a257caf260652f72c640e76da0b7de763e5d93f2c78dc6b1
Opcode Fuzzy Hash: 9d0be604d9a05b5e12ee9fdec4905a051ecea1a24c79d771e0a47e0b5c72b692
Instruction Fuzzy Hash: EF4180B19027199BDB10EB75C844ADB7BFCAF4431CF140AEA9556D7A40FB31E988CB60

Function 6CC91861 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CC91868
GetPropW.USER32(?,AfxOldWndProc423), ref: 6CC91877
CallWindowProcW.USER32(?,?,00000110,?,00000000), ref: 6CC918D1

Part of subcall function 6CC90C2C: GetWindowRect.USER32(?,10000000), ref: 6CC90C56

SetWindowLongW.USER32(?,000000FC,?), ref: 6CC918F8
RemovePropW.USER32(?,AfxOldWndProc423), ref: 6CC91900
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6CC91907
GlobalDeleteAtom.KERNEL32(?), ref: 6CC91911
CallWindowProcW.USER32(?,?,?,?,00000000), ref: 6CC91965

Strings

AfxOldWndProc423, xrefs: 6CC91870, 6CC91875, 6CC918FE, 6CC91906

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
String ID: AfxOldWndProc423
API String ID: 2109165785-1060338832
Opcode ID: a0295e89808487eb542f8a45a23c9ffd1fca8de703f17304b1a21605cc385bbe
Instruction ID: 581203f1a1daa1d3976c559153d22c46db99dc2ddd25d2c306ee68d175687f7a
Opcode Fuzzy Hash: a0295e89808487eb542f8a45a23c9ffd1fca8de703f17304b1a21605cc385bbe
Instruction Fuzzy Hash: C6317C3290115AABCF019FE9DD4EDFF7ABCBF0A315F000115FA01A6950E735C925ABA1

Function 6CC81C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,?,?,6CC81BE9,?,?,?,?), ref: 6CC81C39
GetLastError.KERNEL32(?,?,?,?,?,6CC81BE9,?,?,?,?), ref: 6CC81C48
__aullrem.LIBCMT ref: 6CC81C60
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000), ref: 6CC81CE8
_memset.LIBCMT ref: 6CC81CF5
SetFilePointer.KERNEL32(?,?,00000000,00000001,?,?,?,?,6CC81BE9,?,?,?,?), ref: 6CC81D07

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: File$Pointer$ErrorLastRead__aullrem_memset
String ID:
API String ID: 123228641-0
Opcode ID: 9dd8c3bf5a38f52cd3b32db020dbbfa1010f046d580b839f73f1c91a4f62feb1
Instruction ID: d10ce3b47e8610407d0063c673c25ef6c5ba02a7863e81d8da1349ce52270402
Opcode Fuzzy Hash: 9dd8c3bf5a38f52cd3b32db020dbbfa1010f046d580b839f73f1c91a4f62feb1
Instruction Fuzzy Hash: 5B515171A05311AFD740DF6DD844B9BBBF8FB88758F044A1AF968D7241E770E9048BA2

Function 6CC8BE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CC8BE14
EnterCriticalSection.KERNEL32(?,00000010,6CC8C0D0,?,00000000,?,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?,?), ref: 6CC8BE25
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?,?), ref: 6CC8BE43
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?,?,?), ref: 6CC8BE77
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?,?), ref: 6CC8BEE3
_memset.LIBCMT ref: 6CC8BF02
TlsSetValue.KERNEL32(?,00000000,?), ref: 6CC8BF13
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?,?), ref: 6CC8BF34

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 7216908efa2b44b21f6520523ac17d2c55e04ea796b762e34201dbad64ae90e6
Instruction ID: c0768a19c3ae22b0b396786aee025d99e999df90721bed10a320b9290f26f972
Opcode Fuzzy Hash: 7216908efa2b44b21f6520523ac17d2c55e04ea796b762e34201dbad64ae90e6
Instruction Fuzzy Hash: EA31AD74502606AFDB109F94CC95C9BBBB1FF05318B20C62EE62A97E50EB30A954CF90

Function 6CC881FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CC8815A: GetParent.USER32(?), ref: 6CC881AE
Part of subcall function 6CC8815A: GetLastActivePopup.USER32(?), ref: 6CC881BF
Part of subcall function 6CC8815A: IsWindowEnabled.USER32(?), ref: 6CC881D3
Part of subcall function 6CC8815A: EnableWindow.USER32(?,00000000), ref: 6CC881E6

EnableWindow.USER32(?,00000001), ref: 6CC88247
GetWindowThreadProcessId.USER32(?,?), ref: 6CC8825B
GetCurrentProcessId.KERNEL32(?,?), ref: 6CC88265
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6CC8827D
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 6CC882F9
EnableWindow.USER32(00000000,00000001), ref: 6CC88340

Strings

0, xrefs: 6CC882D2

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: c48fc92d8d32d6a777e12cf55ee2c34e5b4f93b9b875c18323e3e41433c575c6
Instruction ID: 94f0e89b5fd218f8ebf03d210c33dc7707537476782b73350f333e2470651576
Opcode Fuzzy Hash: c48fc92d8d32d6a777e12cf55ee2c34e5b4f93b9b875c18323e3e41433c575c6
Instruction Fuzzy Hash: 1A417271A4261D9BDB109F64CC88F9BBBB4FF05718F20059AE515E6A81E770DA808B90

Function 6CC8DE96 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6CC8DED6
SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 6CC8DF00
GetSystemMetrics.USER32(00000000), ref: 6CC8DF17
GetSystemMetrics.USER32(00000001), ref: 6CC8DF1E
MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 6CC8DF49

Strings

DISPLAY, xrefs: 6CC8DF40
B, xrefs: 6CC8DEE0

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: System$ByteCharMetricsMultiWide$InfoParameters
String ID: B$DISPLAY
API String ID: 381819527-3316187204
Opcode ID: dec087d176ade68e1c5beb4b239a13db432dd93ef09022ef323130da2337af2e
Instruction ID: 68b5235d4187191ea0031bbb94268f4d8e45b472a49521749958ba65159813ca
Opcode Fuzzy Hash: dec087d176ade68e1c5beb4b239a13db432dd93ef09022ef323130da2337af2e
Instruction Fuzzy Hash: 4021F571606222ABDF10DF58CC84B5B7FB8EF46769F114227FD189B581E6B0D840CBA1

Function 6CC888C8 Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 6CC888E7
lstrcmpW.KERNEL32(00000000,?), ref: 6CC888F4
OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 6CC88906
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6CC88926
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6CC8892E
GlobalLock.KERNEL32(00000000), ref: 6CC88938
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 6CC88945
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 6CC8895D

Part of subcall function 6CC8DAD1: GlobalFlags.KERNEL32(?), ref: 6CC8DAE0
Part of subcall function 6CC8DAD1: GlobalUnlock.KERNEL32(?), ref: 6CC8DAF2
Part of subcall function 6CC8DAD1: GlobalFree.KERNEL32(?), ref: 6CC8DAFD

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: cc08590fb536d13b6289345835021866df4b0ba124e34fa7fde0d5373e644c73
Instruction ID: 5ca4cf8ca403786d8216583c8ed4fd5539aef167b989dbc33ea6b423fb50493d
Opcode Fuzzy Hash: cc08590fb536d13b6289345835021866df4b0ba124e34fa7fde0d5373e644c73
Instruction Fuzzy Hash: FF118C71901A05BBCF129BA5CC48CAF7EBDFB85B08B10841AFA05D2920EB35D951D720

Function 6CC8CD66 Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 6CC8CD75
GetSystemMetrics.USER32(0000000C), ref: 6CC8CD7C
GetSystemMetrics.USER32(00000002), ref: 6CC8CD83
GetSystemMetrics.USER32(00000003), ref: 6CC8CD8D
GetDC.USER32(00000000), ref: 6CC8CD97
GetDeviceCaps.GDI32(00000000,00000058), ref: 6CC8CDA8
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6CC8CDB0
ReleaseDC.USER32(00000000,00000000), ref: 6CC8CDB8

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: a82cfe582ed146fb82d41cfad389de1030d99eff61483cb0c7ad7b07a3da93a2
Instruction ID: 3c538427dbac5cccfdd4728a786bce804b4b8fdc72b29044a7b8c41f9496d6f7
Opcode Fuzzy Hash: a82cfe582ed146fb82d41cfad389de1030d99eff61483cb0c7ad7b07a3da93a2
Instruction Fuzzy Hash: D3F049B1F40714BBEB105BB28C4DF2A7F78EB42721F008517E6058B280CAB998118FD0

Function 6CC9020C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CC9029B
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6CC902C4
GetWindowLongW.USER32(?,000000FC), ref: 6CC902D6
GetWindowLongW.USER32(?,000000FC), ref: 6CC902E7
SetWindowLongW.USER32(?,000000FC,?), ref: 6CC90303

Strings

,, xrefs: 6CC902BA

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: bd010024a7ca7fa9f391732f18741c3bfe635fed6b211e8cf75706667c59fa02
Instruction ID: 257e670eaccf6937491571cd61f4cd19ccc63161d5dece8d565940996002e186
Opcode Fuzzy Hash: bd010024a7ca7fa9f391732f18741c3bfe635fed6b211e8cf75706667c59fa02
Instruction Fuzzy Hash: DE31DE71602B509FDB109FB9C888A9EBBF4BF4C318F10062DE55697A91EB30E804CB51

Function 6CC8A200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CC8A20A
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 6CC8A2F0
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6CC8A30D
RegCloseKey.ADVAPI32(?), ref: 6CC8A32D
RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 6CC8A348

Strings

Software\, xrefs: 6CC8A26E

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 6a648f7cbe6cf4eeb75b40da1100f6b5f2353926a9601972f262538ede7224f2
Instruction ID: bdbfaebfe08546afa8518dbe0e68023493e657f4a44ff96634105ea89abf46c0
Opcode Fuzzy Hash: 6a648f7cbe6cf4eeb75b40da1100f6b5f2353926a9601972f262538ede7224f2
Instruction Fuzzy Hash: 5E415431902518ABCB21DBA5DC48EDFBBB9AF89318F1406D5E119D2690EB34DB85CF50

Function 6CC8A082 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6CC8A08C
RegOpenKeyW.ADVAPI32(?,?,?), ref: 6CC8A11A
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6CC8A13D

Part of subcall function 6CC8A02D: __EH_prolog3.LIBCMT ref: 6CC8A034

Strings

Software\Classes\, xrefs: 6CC8A0CD

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: 553a89aa8530ea5ed3258fee8868904ab3a0dfef6bcc1fe6f6eb6183663b342f
Instruction ID: 046e831e25e8d150cf868532650a97ae7839d10c23ec0e22ce9889a70c387434
Opcode Fuzzy Hash: 553a89aa8530ea5ed3258fee8868904ab3a0dfef6bcc1fe6f6eb6183663b342f
Instruction Fuzzy Hash: B9315231C02168EBCB219BE4DC48BDEBBB4AF49318F1402D5E959A3690EB308F84DF51

Function 6CC8D07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6CC8D0AE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6CC8D0D1
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6CC8D0ED
RegCloseKey.ADVAPI32(?), ref: 6CC8D0FD
RegCloseKey.ADVAPI32(?), ref: 6CC8D107

Strings

software, xrefs: 6CC8D096

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: f5c90e16490c57b01f640907020122569fb3856dddd7ca5ff59921fa9fb5b6e0
Instruction ID: 5027998d26c02000ee54371143acf2793815e52eda01264bc616332124f8ac21
Opcode Fuzzy Hash: f5c90e16490c57b01f640907020122569fb3856dddd7ca5ff59921fa9fb5b6e0
Instruction Fuzzy Hash: 0C11E972D01159BBCB11DADACD88DDFBFBDEF85754B10406AA504A2111E7319A01DB60

Function 6CC8BEAE Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?), ref: 6CC8BEB5
__CxxThrowException@8.LIBCMT ref: 6CC8BEBF

Part of subcall function 6CC9527B: RaiseException.KERNEL32(?,00000003,000000FF,6CC8279F), ref: 6CC952BD

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?), ref: 6CC8BED6
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?,?), ref: 6CC8BEE3

Part of subcall function 6CC86D89: __CxxThrowException@8.LIBCMT ref: 6CC86D9F

_memset.LIBCMT ref: 6CC8BF02
TlsSetValue.KERNEL32(?,00000000,?), ref: 6CC8BF13
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?,?), ref: 6CC8BF34

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 4c6932f24ec3ab3dccf83a15a5dabe846ed5aa115279c3da8f4f88d5758935d1
Instruction ID: dea8e951e3cc98ce4e6574d0b575d9478dd4329122302fad0ad839141fe643fb
Opcode Fuzzy Hash: 4c6932f24ec3ab3dccf83a15a5dabe846ed5aa115279c3da8f4f88d5758935d1
Instruction Fuzzy Hash: B4118E74200605AFDB10AFA4DC89C6FBBB5FF04318B10C52AE659D7A20EB30AC64CF50

Function 6CC8CA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000), ref: 6CC8CA85
SetErrorMode.KERNEL32(00000000), ref: 6CC8CA8D

Part of subcall function 6CC8A698: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6CC8A6D0
Part of subcall function 6CC8A698: SetLastError.KERNEL32(0000006F), ref: 6CC8A6E7

GetModuleHandleW.KERNEL32(user32.dll), ref: 6CC8CADC
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 6CC8CAEC

Part of subcall function 6CC8C8E2: GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6CC8C91F
Part of subcall function 6CC8C8E2: PathFindExtensionW.SHLWAPI(?), ref: 6CC8C939
Part of subcall function 6CC8C8E2: __wcsdup.LIBCMT ref: 6CC8C983
Part of subcall function 6CC8C8E2: __wcsdup.LIBCMT ref: 6CC8C9C2
Part of subcall function 6CC8C8E2: __wcsdup.LIBCMT ref: 6CC8CA14

Strings

NotifyWinEvent, xrefs: 6CC8CAE6
user32.dll, xrefs: 6CC8CAD7

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: ErrorModule__wcsdup$FileModeName$AddressExtensionFindHandleLastPathProc
String ID: NotifyWinEvent$user32.dll
API String ID: 3531328582-597752486
Opcode ID: 841a0605230b5dc608e623195e8acbcf08ce807b13f58a970b650fdea06778f4
Instruction ID: abe861bef26f03b924f9888a685ea8ec3d10172ca653608cdd191b104ef5f4db
Opcode Fuzzy Hash: 841a0605230b5dc608e623195e8acbcf08ce807b13f58a970b650fdea06778f4
Instruction Fuzzy Hash: 9C01DF706122444FCB10EFA5C808E8F3FA8EF88318B05845AFA05DBB80EB35C8408F65

Function 6CC8CD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 6CC8CD2E
GetSysColor.USER32(00000010), ref: 6CC8CD35
GetSysColor.USER32(00000014), ref: 6CC8CD3C
GetSysColor.USER32(00000012), ref: 6CC8CD43
GetSysColor.USER32(00000006), ref: 6CC8CD4A
GetSysColorBrush.USER32(0000000F), ref: 6CC8CD57
GetSysColorBrush.USER32(00000006), ref: 6CC8CD5E

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: dbcd79f9c527fe45e75742f889067fa56dc9e9fac7e67e8b9b2309305ccf74d6
Instruction ID: 237854340aa2c3507f76115a80a48b58e4d2d26c6d8bb262f2697312590cfd53
Opcode Fuzzy Hash: dbcd79f9c527fe45e75742f889067fa56dc9e9fac7e67e8b9b2309305ccf74d6
Instruction Fuzzy Hash: 5DF0FE71A417445BDB30BBB25909F47BAE1FFC4710F16092EE2458B990D6B6E441DF40

Function 6CC8815A Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6CC8818D
GetParent.USER32(?), ref: 6CC8819B
GetParent.USER32(?), ref: 6CC881AE
GetLastActivePopup.USER32(?), ref: 6CC881BF
IsWindowEnabled.USER32(?), ref: 6CC881D3
EnableWindow.USER32(?,00000000), ref: 6CC881E6

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 8d8e76e7b00e8b20cf527e96ca9e9cb831c301b71a35017f79b52abd93e03896
Instruction ID: d16ab863f4443fbf120f25458144ec92c4a80bb32a8e6c47c265d374c09a9fec
Opcode Fuzzy Hash: 8d8e76e7b00e8b20cf527e96ca9e9cb831c301b71a35017f79b52abd93e03896
Instruction Fuzzy Hash: B3119132A07631ABD7120AAA8C44F5FBEB86F45B6CF150227ED14E7E04FF64C80146E1

Function 6CC9C416 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6CC9C43E

Part of subcall function 6CC94FC4: __getptd.LIBCMT ref: 6CC94FD2
Part of subcall function 6CC94FC4: __getptd.LIBCMT ref: 6CC94FE0

__getptd.LIBCMT ref: 6CC9C448

Part of subcall function 6CC9A27F: __getptd_noexit.LIBCMT ref: 6CC9A282
Part of subcall function 6CC9A27F: __amsg_exit.LIBCMT ref: 6CC9A28F

__getptd.LIBCMT ref: 6CC9C456
__getptd.LIBCMT ref: 6CC9C464
__getptd.LIBCMT ref: 6CC9C46F
_CallCatchBlock2.LIBCMT ref: 6CC9C495

Part of subcall function 6CC95069: __CallSettingFrame@12.LIBCMT ref: 6CC950B5

Part of subcall function 6CC9C53C: __getptd.LIBCMT ref: 6CC9C54B
Part of subcall function 6CC9C53C: __getptd.LIBCMT ref: 6CC9C559

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: bd724f9712053408485dfc835ee6d91e1fa55e5332bd6f9ce4c9004e435d8c31
Instruction ID: 676e7ec5dd4b1f1b61879ab5303c981ba0d36032cb337fb8fd157177d2eb88f0
Opcode Fuzzy Hash: bd724f9712053408485dfc835ee6d91e1fa55e5332bd6f9ce4c9004e435d8c31
Instruction Fuzzy Hash: 1911C3B1C04209DFDF00EFA4C844AED7BB1FF18319F108569E814A7750EB399A199F51

Function 6CC8DB5C Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 6CC8DB6D
GetDlgCtrlID.USER32(00000000), ref: 6CC8DB81
GetWindowLongW.USER32(00000000,000000F0), ref: 6CC8DB91
GetWindowRect.USER32(00000000,?), ref: 6CC8DBA3
PtInRect.USER32(?,?,?), ref: 6CC8DBB3
GetWindow.USER32(?,00000005), ref: 6CC8DBC0

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: eaa2f991e55e9faee87949c8b54355fb26d229828a8f2effd0504a47f95dc8ac
Instruction ID: 20860944b19e0fcbf495a0de2b56eccb8219a58cace70ab3174c2eebd6218f8e
Opcode Fuzzy Hash: eaa2f991e55e9faee87949c8b54355fb26d229828a8f2effd0504a47f95dc8ac
Instruction Fuzzy Hash: 0F014B3260216ABBDB115B959C0CEAF3B78FF46B69F014122F91196090E734D5168B94

Function 6CC92932 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CC92962

Strings

AfxMDIFrame90su, xrefs: 6CC92A03
@, xrefs: 6CC92A6E
@, xrefs: 6CC92B07
AfxFrameOrView90su, xrefs: 6CC92A28

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90su$AfxMDIFrame90su
API String ID: 2102423945-1093365818
Opcode ID: f5981529e65721ec7e37d93d09d44dee735bfeeb7fd994d4bb8862ab9a521e8f
Instruction ID: 10ed6d6b135418e419dcb80fb70bdbe231319232714d599f8f9f2159575330ba
Opcode Fuzzy Hash: f5981529e65721ec7e37d93d09d44dee735bfeeb7fd994d4bb8862ab9a521e8f
Instruction Fuzzy Hash: E9912072D0124DAEDB40CF98C599BDEBBF8AF49348F218165ED58E6680F774C644C7A0

Function 6CC896DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 6CC896F2
_memset.LIBCMT ref: 6CC8976A
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 6CC897CD
LoadBitmapW.USER32(00000000,00007FE3), ref: 6CC897E5

Strings

, xrefs: 6CC8974B

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 4460068195bb9d2db58a2f202500d34099540aff70e3408ef89b196f3b16c1da
Instruction ID: a004ae6a2c1f2a8d0328e54bbf1e8afc3eeed6ea7fbe89a1b55de21030c190b1
Opcode Fuzzy Hash: 4460068195bb9d2db58a2f202500d34099540aff70e3408ef89b196f3b16c1da
Instruction Fuzzy Hash: 78310971B002559FEF108FA89CC8B9E7BB5FB45308F5540AAE549EB681EF309D498F50

Function 6CC9C165 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CC9C17F

Part of subcall function 6CC9A27F: __getptd_noexit.LIBCMT ref: 6CC9A282
Part of subcall function 6CC9A27F: __amsg_exit.LIBCMT ref: 6CC9A28F

__getptd.LIBCMT ref: 6CC9C190
__getptd.LIBCMT ref: 6CC9C19E

Strings

csm, xrefs: 6CC9C178
MOC, xrefs: 6CC9C171

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 8c112de8ba61407736256011eba1e9c09d59243f4efd8b177e32e0b804c32463
Instruction ID: ccff254544173485d733cbb3644009fa1c7dd06939f3afc8e80448ac8d364368
Opcode Fuzzy Hash: 8c112de8ba61407736256011eba1e9c09d59243f4efd8b177e32e0b804c32463
Instruction Fuzzy Hash: 15E04F329145048FD700ABB4C045B5837A4FBA9718F2501A1D40CCBB21F735E644C943

Function 6CC85670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,6CC849D6,?,00000003), ref: 6CC85685
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,?,00000000,00000000), ref: 6CC856B4
GetLastError.KERNEL32 ref: 6CC856C5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 6CC856E5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,00000000,00000000), ref: 6CC85709

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: 0f4ac35a4d60b24a488b6d75d20dc54d335add93a346653fbe634269116f6980
Instruction ID: 2378a5d5f60acf84a9ed9be288dcc436661ccf337fffc651936d37f4d53d9fa4
Opcode Fuzzy Hash: 0f4ac35a4d60b24a488b6d75d20dc54d335add93a346653fbe634269116f6980
Instruction Fuzzy Hash: 0411B475390305ABE610DEA4DCC4F6B77BCE785748F100928F642973C0D6A4BC088670

Function 6CC8DA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?), ref: 6CC8DA3D
_memset.LIBCMT ref: 6CC8DA5B
GetWindowTextW.USER32(00000000,?,00000100), ref: 6CC8DA75
lstrcmpW.KERNEL32(?,?,?,?), ref: 6CC8DA87
SetWindowTextW.USER32(00000000,?), ref: 6CC8DA93

Part of subcall function 6CC86DC1: __CxxThrowException@8.LIBCMT ref: 6CC86DD7
Part of subcall function 6CC86DC1: __EH_prolog3.LIBCMT ref: 6CC86DE4

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 1b775fc22a874a4e0968d5d3400692d37ad3499fc71262f5dd600d18149f1f09
Instruction ID: 06ceae675c4d9f4b129466d456b150bf4051db4922a89f6c1437bdab4bfee6d1
Opcode Fuzzy Hash: 1b775fc22a874a4e0968d5d3400692d37ad3499fc71262f5dd600d18149f1f09
Instruction Fuzzy Hash: 2B0184B6A0225A77CB00DAB59C8CDDF77BDEF45748F104466E915D3241EA34D94887A0

Function 6CC9FE0E Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CC9FE1A

Part of subcall function 6CC9A27F: __getptd_noexit.LIBCMT ref: 6CC9A282
Part of subcall function 6CC9A27F: __amsg_exit.LIBCMT ref: 6CC9A28F

__amsg_exit.LIBCMT ref: 6CC9FE3A
__lock.LIBCMT ref: 6CC9FE4A
InterlockedDecrement.KERNEL32(?), ref: 6CC9FE67
InterlockedIncrement.KERNEL32(02922808), ref: 6CC9FE92

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: a320f5b836c9af127071dab57894664b1965bb637351eab1995f2725cf0301cc
Instruction ID: d67927f7126d7dd58de98ff4367dd5b617419cd61e6381b6f060815ea4335613
Opcode Fuzzy Hash: a320f5b836c9af127071dab57894664b1965bb637351eab1995f2725cf0301cc
Instruction Fuzzy Hash: 8501B932E02715DFDB119BE5840879D77B0BF06729F110209F92067F91E734A951CBD5

Function 6CC94618 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 6CC94636

Part of subcall function 6CC9A914: __mtinitlocknum.LIBCMT ref: 6CC9A92A
Part of subcall function 6CC9A914: __amsg_exit.LIBCMT ref: 6CC9A936
Part of subcall function 6CC9A914: EnterCriticalSection.KERNEL32(6CC82790,6CC82790,?,6CC9B48C,00000004,6CCAE998,0000000C,6CC9A61E,6CCAC168,6CC8279F,00000000,00000000,00000000,?,6CC9A231,00000001), ref: 6CC9A93E

___sbh_find_block.LIBCMT ref: 6CC94641
___sbh_free_block.LIBCMT ref: 6CC94650
HeapFree.KERNEL32(00000000,6CCAC168,6CCAE828,0000000C,6CC9A8F5,00000000,6CCAE978,0000000C,6CC9A92F,6CCAC168,6CC82790,?,6CC9B48C,00000004,6CCAE998,0000000C), ref: 6CC94680
GetLastError.KERNEL32(?,6CC9B48C,00000004,6CCAE998,0000000C,6CC9A61E,6CCAC168,6CC8279F,00000000,00000000,00000000,?,6CC9A231,00000001,00000214), ref: 6CC94691

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: d20657846d30bfda7da13464d2fcd4203657fc7e8e449d861eb1bd2517f48015
Instruction ID: 1654370589f66fc42527339fd9d84e9f22ca6ffa2ab5644de2117038e4d25144
Opcode Fuzzy Hash: d20657846d30bfda7da13464d2fcd4203657fc7e8e449d861eb1bd2517f48015
Instruction Fuzzy Hash: 9101A971D45715EBDF209FB1A808B9E3BB4BF0176EF214209E124A6EC0FB74D544CA98

Function 6CC8C113 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsFree.KERNEL32(?,?,?,6CC8C179), ref: 6CC8C13B
GlobalHandle.KERNEL32(?), ref: 6CC8C149
GlobalUnlock.KERNEL32(00000000), ref: 6CC8C152
GlobalFree.KERNEL32(00000000), ref: 6CC8C159
DeleteCriticalSection.KERNEL32(?,?,?,6CC8C179), ref: 6CC8C163

Part of subcall function 6CC8BF5D: EnterCriticalSection.KERNEL32(?), ref: 6CC8BFBC
Part of subcall function 6CC8BF5D: LeaveCriticalSection.KERNEL32(?), ref: 6CC8BFCC
Part of subcall function 6CC8BF5D: LocalFree.KERNEL32(?), ref: 6CC8BFD5
Part of subcall function 6CC8BF5D: TlsSetValue.KERNEL32(?,00000000), ref: 6CC8BFE7

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: 471f5d7357b558e491d251b3d262cbdd05ac19075bda43523eacc3b28732e294
Instruction ID: f9499517fffefe07236acaa192b6d2cc9af9a3e2aa9ed1740e60bf41aac52fba
Opcode Fuzzy Hash: 471f5d7357b558e491d251b3d262cbdd05ac19075bda43523eacc3b28732e294
Instruction Fuzzy Hash: 7AF089363026409BDB10AB78AC4CE6F3BB9EF867687650709F525D3641DB34D8038B70

Function 6CC9140F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CC8C220: EnterCriticalSection.KERNEL32(6CCB34A8,?,?,?,?,6CC8BB27,00000010,00000008,6CC8AF1F,6CC8AEC2,6CC86DDD,6CC8A591,6CC82BC2,?,?,?), ref: 6CC8C25A
Part of subcall function 6CC8C220: InitializeCriticalSection.KERNEL32(-000071A8,?,?,?,6CC8BB27,00000010,00000008,6CC8AF1F,6CC8AEC2,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?), ref: 6CC8C26C
Part of subcall function 6CC8C220: LeaveCriticalSection.KERNEL32(6CCB34A8,?,?,?,6CC8BB27,00000010,00000008,6CC8AF1F,6CC8AEC2,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?), ref: 6CC8C279
Part of subcall function 6CC8C220: EnterCriticalSection.KERNEL32(-000071A8,?,?,?,?,6CC8BB27,00000010,00000008,6CC8AF1F,6CC8AEC2,6CC86DDD,6CC8A591,6CC82BC2,?,?,?), ref: 6CC8C289

Part of subcall function 6CC8BB0C: __EH_prolog3_catch.LIBCMT ref: 6CC8BB13

Part of subcall function 6CC86DC1: __CxxThrowException@8.LIBCMT ref: 6CC86DD7
Part of subcall function 6CC86DC1: __EH_prolog3.LIBCMT ref: 6CC86DE4

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6CC91458
FreeLibrary.KERNEL32(?), ref: 6CC91468

Strings

hhctrl.ocx, xrefs: 6CC9143C
HtmlHelpW, xrefs: 6CC91452

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 2853499158-3773518134
Opcode ID: c8204ba9452fdc3c5d984a08aedafd6597c38614efb34846476762984acd80c5
Instruction ID: 524b7c4852c124fdc8acf9646dbec5b8665fe1e5cda9218515da5164c536ece2
Opcode Fuzzy Hash: c8204ba9452fdc3c5d984a08aedafd6597c38614efb34846476762984acd80c5
Instruction Fuzzy Hash: 5101D631200706A7CB116FAADD0AF8B7FB8AF0875CF00C91AF54B96D50FB31D4548A51

Function 6CC9C7C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6CC9C7D6

Part of subcall function 6CC9C731: ___BuildCatchObjectHelper.LIBCMT ref: 6CC9C767

_UnwindNestedFrames.LIBCMT ref: 6CC9C7ED
___FrameUnwindToState.LIBCMT ref: 6CC9C7FB

Strings

csm, xrefs: 6CC9C7D2, 6CC9C7E7, 6CC9C7FA, 6CC9C818, 6CC9C828

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction ID: 6ac35f948637a1ae0850768d9b8d1914c5365e45e1f3e4d831d2042c5a2834e2
Opcode Fuzzy Hash: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction Fuzzy Hash: D001F632001109BBDF12AF51CC84EEA7F6AFF18398F104010FD2855A20E732D9B1EBA5

Function 6CC9ED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,6CC977D7), ref: 6CC9ED7C
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 6CC9ED8C

Strings

KERNEL32, xrefs: 6CC9ED77
IsProcessorFeaturePresent, xrefs: 6CC9ED86

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 15df415d0e26689c2bba6eea7f12a85e9acb4d47e03508340d3100b8efaae946
Instruction ID: 861f3d702ba454007e35fd8c71863654f950e3955678901d032b3b7567721b3c
Opcode Fuzzy Hash: 15df415d0e26689c2bba6eea7f12a85e9acb4d47e03508340d3100b8efaae946
Instruction Fuzzy Hash: 45F03031A01A0AD2DF001BE1BD1D66F7A79BBC2746F8209D4E195E1494EF3180B19685

Function 6CC87D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CC87D88
GetFileTime.KERNEL32(?,?,?,?), ref: 6CC87DBF
GetFileSizeEx.KERNEL32(?,?), ref: 6CC87DD7

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: File$SizeTime_memset
String ID:
API String ID: 151880914-0
Opcode ID: e7e3adb5257b1e94108ae53e89ed8f785695853b16171a9ebd70a9cc9a4c1bf0
Instruction ID: 4d5d97232134479a0ee0c7ae42f9729d94e0d350071593c6f2c7351ab298ecb2
Opcode Fuzzy Hash: e7e3adb5257b1e94108ae53e89ed8f785695853b16171a9ebd70a9cc9a4c1bf0
Instruction Fuzzy Hash: 4B511E726056059FDB20CF65C944DABBBF8FF09318B144A1EE5A6D3A90F730E944DB60

Function 6CCA081B Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6CCA084F
__isleadbyte_l.LIBCMT ref: 6CCA0883
MultiByteToWideChar.KERNEL32(00000080,00000009,6CC940D8,6CCABF84,00000000,00000000,?,?,?,?,6CC940D8,00000000,?), ref: 6CCA08B4
MultiByteToWideChar.KERNEL32(00000080,00000009,6CC940D8,00000001,00000000,00000000,?,?,?,?,6CC940D8,00000000,?), ref: 6CCA0922

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 1e461e46e6739f7cb0546d75e78a0145e905c683a77dae3d0d461de2d0b8413a
Instruction ID: c1e479e858cf976451f1b0a987b57a5bd686565f0412157ea8cae7568f693830
Opcode Fuzzy Hash: 1e461e46e6739f7cb0546d75e78a0145e905c683a77dae3d0d461de2d0b8413a
Instruction Fuzzy Hash: FC31E231A012C7EFDB04CFE4C8889AE3BB5BF01394F148669E4669B591FB31C942DB94

Function 6CC88EC9 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CC88ED0

Part of subcall function 6CC89C7C: __EH_prolog3.LIBCMT ref: 6CC89C83

__wcsdup.LIBCMT ref: 6CC88EF2
GetCurrentThread.KERNEL32 ref: 6CC88F1F
GetCurrentThreadId.KERNEL32 ref: 6CC88F28

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__wcsdup
String ID:
API String ID: 190065205-0
Opcode ID: b385ba4ee7c6a4ae4d25983c7c62129835b578c5efdbe07656fd0777cb218228
Instruction ID: e6c0caaa596fe1e8bbd0aa0ff8b03e092fd13e6047677a91fd0f5554c20b7f26
Opcode Fuzzy Hash: b385ba4ee7c6a4ae4d25983c7c62129835b578c5efdbe07656fd0777cb218228
Instruction Fuzzy Hash: 22217EB0901B408FC7218F7A854568AFEF4BFA4708F10895FD1AAC7B21EBB0A045CF45

Function 6CC91D07 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6CC91D33
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6CC91D5E
GetCapture.USER32 ref: 6CC91D70
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6CC91D7F

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 5ab8c660621f62f6b54603eccd7a3569dc76acb8d43831134326f344771b0152
Instruction ID: cf80ff68d52a3a5e4c7985df63e06bf7aad738d504da34c94209a9a38e60813d
Opcode Fuzzy Hash: 5ab8c660621f62f6b54603eccd7a3569dc76acb8d43831134326f344771b0152
Instruction Fuzzy Hash: D90184713502947BDF311B668CCDFEB3E7AEFCAF14F1100B9B6059A1E6DAA18804D620

Function 6CC86A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CC86A8A

Part of subcall function 6CC868E2: _malloc.LIBCMT ref: 6CC86900

__CxxThrowException@8.LIBCMT ref: 6CC86AC0
FormatMessageW.KERNEL32(00001100,00000000,6CCAC050,00000800,000000FF,00000000,00000000,?,?,6CCAD898,00000004,6CC816A6,?,6CC8155A,8007000E,6CC813DE), ref: 6CC86AEA
LocalFree.KERNEL32(000000FF,000000FF,6CC8279F), ref: 6CC86B12

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: 3b2b89ab4b29cd8e6fa67e0f74f3f5e83f8eac5f52b2beac5eb58ec20dd9d5d8
Instruction ID: f240bc549db9c0f962f2dfc8a09bb4f285a26195d0f6d4570e6b6829db37eac7
Opcode Fuzzy Hash: 3b2b89ab4b29cd8e6fa67e0f74f3f5e83f8eac5f52b2beac5eb58ec20dd9d5d8
Instruction Fuzzy Hash: 47118C71651649AFDF048FA8CC44EEE3BB9EF48318F20C529B529CB690F73189508B50

Function 6CC8D159 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 6CC8D194
RegCloseKey.ADVAPI32(00000000), ref: 6CC8D19D
swprintf.LIBCMT ref: 6CC8D1BA
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6CC8D1CB

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: dce61cbc9e0240de27cf65f65c77fcc03bef84248163a16e5b7ad582d078f8ed
Instruction ID: c978fc69042eccb1c0fa4b1855207e82e757bbe743cc1d00ee330c6f9d6e281f
Opcode Fuzzy Hash: dce61cbc9e0240de27cf65f65c77fcc03bef84248163a16e5b7ad582d078f8ed
Instruction Fuzzy Hash: 3C01A172A01209ABDF009F648C49FAFB7BCAF49718F10041AFA01E7540EB71E90587A4

Function 6CC87287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6CC868E2: _malloc.LIBCMT ref: 6CC86900

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6CC872BB
GetCurrentProcess.KERNEL32(?,00000000), ref: 6CC872C1
DuplicateHandle.KERNEL32(00000000), ref: 6CC872C4
GetLastError.KERNEL32(?), ref: 6CC872DF

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: 496380d6393d9a367de2bbe3aa534c5c7abc33c9567abbdbcc1e179c744470d0
Instruction ID: 0728094b2f5427a9c2d297707e5007585d49fa51f057b04485a7c827539dbbd9
Opcode Fuzzy Hash: 496380d6393d9a367de2bbe3aa534c5c7abc33c9567abbdbcc1e179c744470d0
Instruction Fuzzy Hash: B7017131701605ABDB009BA6DD89F5B7FB9EF85758F244525F508CB641FB71DC009760

Function 6CC90F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 6CC90F9D
GetTopWindow.USER32(00000000), ref: 6CC90FDC
GetWindow.USER32(00000000,00000002), ref: 6CC90FFA

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: e3a673d12146e25841475bbdfb8874c56d3290738a600b5df3e66ff9587d0f2f
Instruction ID: 9278d84d42e55b7e67dfe39b65683694a9e327e74b3508a68b7c1959766dfdc0
Opcode Fuzzy Hash: e3a673d12146e25841475bbdfb8874c56d3290738a600b5df3e66ff9587d0f2f
Instruction Fuzzy Hash: 2001293200569ABBCF025E959D09EDF3F3ABF49794F004011FA1191520E736C672EBA1

Function 6CC9EC63 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6CC9EC89

Part of subcall function 6CC9EAAE: __fltout2.LIBCMT ref: 6CC9EADA

__cftog_l.LIBCMT ref: 6CC9ECAF
__cftoe_l.LIBCMT ref: 6CC9ECE1

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 5a04dfc87731c8cac3141b82b7ddf9ebcd56259c21d0da406081d57cae9c868b
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 1F11407284418EBBCF125F84CC41CDE3F62BB29358B598419FA6859570E736CAB1AB81

Function 6CC903CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6CC903DC
GetTopWindow.USER32(00000000), ref: 6CC903EF

Part of subcall function 6CC903CF: GetWindow.USER32(00000000,00000002), ref: 6CC90436

GetTopWindow.USER32(?), ref: 6CC9041F

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 313414d34feba34b179b801e81998901c26e9a593383f6440190b72f58dd3a48
Instruction ID: dd142270bd92c325a517e41c33923150fbd5850a759cf1665f412781aeba5081
Opcode Fuzzy Hash: 313414d34feba34b179b801e81998901c26e9a593383f6440190b72f58dd3a48
Instruction Fuzzy Hash: 4D0184321465AAAB8B122E668D04ECF3A79AF4D394B458121FD1491D01F731C51296A5

Function 6CCA057A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CCA0586

Part of subcall function 6CC9A27F: __getptd_noexit.LIBCMT ref: 6CC9A282
Part of subcall function 6CC9A27F: __amsg_exit.LIBCMT ref: 6CC9A28F

__getptd.LIBCMT ref: 6CCA059D
__amsg_exit.LIBCMT ref: 6CCA05AB
__lock.LIBCMT ref: 6CCA05BB

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 3d5163103c3c5710315665a06302f4466bcd9302e03ad058be76100cae126990
Instruction ID: 88e60d02585113a471eaeb8904775749feaac91b2282130e9b3404f81e7267b2
Opcode Fuzzy Hash: 3d5163103c3c5710315665a06302f4466bcd9302e03ad058be76100cae126990
Instruction Fuzzy Hash: DEF0B432D01715DFDB20ABF4840978C73B06F42769F510609D45567F90FB34A606CB5A

Function 6CC8A698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 6CC8A59C: GetModuleHandleW.KERNEL32(KERNEL32,6CC8A6B6), ref: 6CC8A5AA
Part of subcall function 6CC8A59C: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6CC8A5CB
Part of subcall function 6CC8A59C: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6CC8A5DD
Part of subcall function 6CC8A59C: GetProcAddress.KERNEL32(ActivateActCtx), ref: 6CC8A5EF
Part of subcall function 6CC8A59C: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6CC8A601

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6CC8A6D0
SetLastError.KERNEL32(0000006F), ref: 6CC8A6E7

Strings

, xrefs: 6CC8A705

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: AddressProc$Module$ErrorFileHandleLastName
String ID:
API String ID: 2524245154-3916222277
Opcode ID: b38b215a92b5becbfd42a11099f01a6176bdfa7b23d0b1bce3a5fe8a56e6225c
Instruction ID: d0c0f4b364c88e36df5bcb5bdfde34ec7192cad3be11a103073c5658f8f26267
Opcode Fuzzy Hash: b38b215a92b5becbfd42a11099f01a6176bdfa7b23d0b1bce3a5fe8a56e6225c
Instruction Fuzzy Hash: A8215E709012289EDB20DF75D8587DEBBB4BF44328F10869AD069E72C0EB749A89DF54

Function 6CC88E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6CC88E78
PathFindExtensionW.SHLWAPI(?), ref: 6CC88E8E

Part of subcall function 6CC88BDF: __EH_prolog3_GS.LIBCMT ref: 6CC88BE9
Part of subcall function 6CC88BDF: GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6CC88EB7,?,?), ref: 6CC88C19
Part of subcall function 6CC88BDF: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6CC88C2D
Part of subcall function 6CC88BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6CC88C69
Part of subcall function 6CC88BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6CC88C77
Part of subcall function 6CC88BDF: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6CC88C94
Part of subcall function 6CC88BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6CC88CBF
Part of subcall function 6CC88BDF: ConvertDefaultLocale.KERNEL32(000003FF), ref: 6CC88CC8
Part of subcall function 6CC88BDF: GetModuleFileNameW.KERNEL32(6CC80000,?,00000105), ref: 6CC88D7F

Strings

%s%s.dll, xrefs: 6CC88E99

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 511f6d40180034e23e68de62d20b83ab84b4d043c1c2aa6e998f0384538215e4
Instruction ID: 5759dcebc78d7c053ea2d20e02c6279d6c8a037254561d903980eb5d66185278
Opcode Fuzzy Hash: 511f6d40180034e23e68de62d20b83ab84b4d043c1c2aa6e998f0384538215e4
Instruction Fuzzy Hash: A3018B71A12118BBCB11DBA8EC49DEF77F9FF49704F0104A6A505EB540E770DA05CB54

Function 6CC9C53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CC95017: __getptd.LIBCMT ref: 6CC9501D
Part of subcall function 6CC95017: __getptd.LIBCMT ref: 6CC9502D

__getptd.LIBCMT ref: 6CC9C54B

Part of subcall function 6CC9A27F: __getptd_noexit.LIBCMT ref: 6CC9A282
Part of subcall function 6CC9A27F: __amsg_exit.LIBCMT ref: 6CC9A28F

__getptd.LIBCMT ref: 6CC9C559

Strings

csm, xrefs: 6CC9C567

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: f8cc2f09cc03d4c7c6e467d980a2c87cccd186c913e22614bc70be444f49effe
Instruction ID: e52b9c035538658905de0229753826611e83c2d4661e8451afe8f2721e1c729f
Opcode Fuzzy Hash: f8cc2f09cc03d4c7c6e467d980a2c87cccd186c913e22614bc70be444f49effe
Instruction Fuzzy Hash: 3201D170805201CFCF20AF61C48069EBFB5AF20319F64052ED451D6E50FB30D684EF41

Function 6CC8BF5D Relevance: 5.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6CC8BFBC
LeaveCriticalSection.KERNEL32(?), ref: 6CC8BFCC
LocalFree.KERNEL32(?), ref: 6CC8BFD5
TlsSetValue.KERNEL32(?,00000000), ref: 6CC8BFE7

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: defb0684372e5899f82d4dc7a92e8248faee83cd9638636caf80a8e64552129d
Instruction ID: f157ed241b027a109cc4e417e3f89fda0710588e60de1a959095c126ead23042
Opcode Fuzzy Hash: defb0684372e5899f82d4dc7a92e8248faee83cd9638636caf80a8e64552129d
Instruction Fuzzy Hash: 72117C35602604EFD714CF98C894F5ABBB4FF46319F208469F2528B9A1DB71B850CF10

Function 6CC8C220 Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CCB34A8,?,?,?,?,6CC8BB27,00000010,00000008,6CC8AF1F,6CC8AEC2,6CC86DDD,6CC8A591,6CC82BC2,?,?,?), ref: 6CC8C25A
InitializeCriticalSection.KERNEL32(-000071A8,?,?,?,6CC8BB27,00000010,00000008,6CC8AF1F,6CC8AEC2,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?), ref: 6CC8C26C
LeaveCriticalSection.KERNEL32(6CCB34A8,?,?,?,6CC8BB27,00000010,00000008,6CC8AF1F,6CC8AEC2,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?), ref: 6CC8C279
EnterCriticalSection.KERNEL32(-000071A8,?,?,?,?,6CC8BB27,00000010,00000008,6CC8AF1F,6CC8AEC2,6CC86DDD,6CC8A591,6CC82BC2,?,?,?), ref: 6CC8C289

Part of subcall function 6CC86DC1: __CxxThrowException@8.LIBCMT ref: 6CC86DD7
Part of subcall function 6CC86DC1: __EH_prolog3.LIBCMT ref: 6CC86DE4

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 07c9f87a8c2abc2c2ce882f50a948559940afef805b02abaf4e6a636f22898c5
Instruction ID: 84c5626be05f17f5a86c6bdd1efd26054852f10791c8673e165c83821c8327e3
Opcode Fuzzy Hash: 07c9f87a8c2abc2c2ce882f50a948559940afef805b02abaf4e6a636f22898c5
Instruction Fuzzy Hash: ECF0F673601104AFCB002BD9DC8AB4BBF79EBD336CF190616E204A3D41EF30A481CAA5

Function 6CC8BA5B Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CCB32EC,?,?,?,?,6CC8C0B7,?,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?), ref: 6CC8BA69
TlsGetValue.KERNEL32(6CCB32D0,?,?,?,6CC8C0B7,?,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?,?), ref: 6CC8BA7D
LeaveCriticalSection.KERNEL32(6CCB32EC,?,?,?,6CC8C0B7,?,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?,?), ref: 6CC8BA93
LeaveCriticalSection.KERNEL32(6CCB32EC,?,?,?,6CC8C0B7,?,00000004,6CC8AF00,6CC86DDD,6CC8A591,6CC82BC2,?,?,?,?,?), ref: 6CC8BA9E

Memory Dump Source

Source File: 00000001.00000002.1768915976.000000006CC81000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CC80000, based on PE: true

Associated: 00000001.00000002.1768876785.000000006CC80000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769078361.000000006CCB5000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.1769135755.000000006CCB9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6cc80000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 95c992f550539a74cff19dcb688c698fe16bbc9fd673ed197e057e0ca085a0c9
Instruction ID: c5e90d2d59ba7b0b566ec790fbcec47571ed41ffd441b59b85e680531f21d552
Opcode Fuzzy Hash: 95c992f550539a74cff19dcb688c698fe16bbc9fd673ed197e057e0ca085a0c9
Instruction Fuzzy Hash: 2BF054763052049FD7208F98DC9CC4BBBBDEB853683154426E759D3501E634F8859BA0

Analysis Process: DZIPR.exePID: 7008, Parent PID: 6864COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1679
Total number of Limit Nodes:	23

Executed Functions

Function 6C8963F0 Relevance: 4.7, APIs: 3, Instructions: 239
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6C896602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6C89663B
VirtualProtect.KERNELBASE(?,?,?,00000000,?), ref: 6C896654

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: a0cde96bdf72b1d4c6aa1672c41435c2358ac601b9305d6aad22fe227a9f07e6
Instruction ID: 166bf09baa7d1c4396d6c24af58b975e64e0240dda8c45bcc1f95df7568ec9b7
Opcode Fuzzy Hash: a0cde96bdf72b1d4c6aa1672c41435c2358ac601b9305d6aad22fe227a9f07e6
Instruction Fuzzy Hash: 40A1BC306083568FC365CF6CC9D062AFBE2BF89308F19896DE89997206D731E955CBC1

Function 6C895CA0 Relevance: 3.4, APIs: 2, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: LibraryLoad_memset
String ID:
API String ID: 2997193564-0
Opcode ID: 6f96a37bbb02feb2afd4f3bc65fd6779c8ba795721b71c57f05ffdbea477235a
Instruction ID: 76c8c02850436aa1b84e4b2fa52d23f5a2bbcf34172a6421ebd618f8fa9a29e9
Opcode Fuzzy Hash: 6f96a37bbb02feb2afd4f3bc65fd6779c8ba795721b71c57f05ffdbea477235a
Instruction Fuzzy Hash: 21E167B0A087068FC724CF1AC5D062AFBE5FF89308F558A2DE89A97711D730E955CB91

Function 6C895E70 Relevance: 1.5, APIs: 1, Instructions: 248
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000000,007F50EB), ref: 6C895ECA

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 5cc1f9a5f24e9e5fa095a10371991f4885906676baa96853a7d6249bb744aabc
Instruction ID: 8e1895a4e6c6e67b685b057872d925e48e9580dbcc04a267ab57d2c3bae785c9
Opcode Fuzzy Hash: 5cc1f9a5f24e9e5fa095a10371991f4885906676baa96853a7d6249bb744aabc
Instruction Fuzzy Hash: 58A19A706083168FCB28CF2CC5D022AB7E2BB89309F548A6DE89697756D730E955CBC1

Function 6C89BC4E Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(6C8C32EC), ref: 6C89BC61
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,6C8C32D0,6C8C32D0,?,6C89C0A4,00000004,6C89AF00,6C896DDD,6C8968AD,?,6C8A4902,?), ref: 6C89BCB7
GlobalHandle.KERNEL32(00E3A278), ref: 6C89BCC0
GlobalUnlock.KERNEL32(00000000), ref: 6C89BCCA
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 6C89BCE3
GlobalHandle.KERNEL32(00E3A278), ref: 6C89BCF5
GlobalLock.KERNEL32(00000000), ref: 6C89BCFC
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C89BD05
GlobalLock.KERNEL32(00000000), ref: 6C89BD11
_memset.LIBCMT ref: 6C89BD2B
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C89BD59

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 2f16c300ef72d60bd1e1e4d10b7cb676e075379bfbf2ece91ea1f9caeacb663c
Instruction ID: 1c97f129504f85863ab4595da46a7fd6ac0badf1bb83afaa8ba3188f175b17ab
Opcode Fuzzy Hash: 2f16c300ef72d60bd1e1e4d10b7cb676e075379bfbf2ece91ea1f9caeacb663c
Instruction Fuzzy Hash: 5E31CF71600B05AFDB308F6CC989A5A7BF9FF40309B05497EE656D7A51DB30E844CB90

Function 6C8964E0 Relevance: 4.7, APIs: 3, Instructions: 151
librarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6C896602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6C89663B

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: LibraryLoadProtectVirtual
String ID:
API String ID: 3279857687-0
Opcode ID: 5d45b89d1a72b9f8e26b7c868fc646af91f59665a881dfe9bc848d42f065ce7a
Instruction ID: 86bc701133533a196fa9851ec3445fe5c03b7d21e6b032fea80b85bde92ac2c2
Opcode Fuzzy Hash: 5d45b89d1a72b9f8e26b7c868fc646af91f59665a881dfe9bc848d42f065ce7a
Instruction Fuzzy Hash: 4751CD316083558FC725CF2CC9D062AFBE6AFC9308F198A6DE88597316D631E946CBD1

Function 6C896750 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6C8BC168), ref: 6C896300

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b2ea4cfb1d33319330b047a9dd26013a9a6790dff0690911bcf0990800431ff9
Instruction ID: 4382b9f6758e801ef1d7a0a3499c91cddeeb7059a454846687957242080eda6e
Opcode Fuzzy Hash: b2ea4cfb1d33319330b047a9dd26013a9a6790dff0690911bcf0990800431ff9
Instruction Fuzzy Hash: A141AC316087098FC764CF1DC98066AB7E2FBC4318F18896CA88A87716D631F8458BC1

Function 6C8962D0 Relevance: 1.6, APIs: 1, Instructions: 97
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6C8BC168), ref: 6C896300

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 63f1c668835579a23432ae1ee052ad596f66cf373c321ef2d7af87b724e1e34f
Instruction ID: 39d65b98125fcfa919e490791f71fcdf5bfbc0ea5cabcd3294f159d1374066de
Opcode Fuzzy Hash: 63f1c668835579a23432ae1ee052ad596f66cf373c321ef2d7af87b724e1e34f
Instruction Fuzzy Hash: 5231CE31A097068FC764CF19C98066AB7E2FFC4318F19896CE88697716D630F845CBC1

Function 6C89C050 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6C89C057

Part of subcall function 6C896DC1: __CxxThrowException@8.LIBCMT ref: 6C896DD7
Part of subcall function 6C896DC1: __EH_prolog3.LIBCMT ref: 6C896DE4

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: 68f5bdaa5ac1a9a5b52beb03ce69774f7982fdbd20eae3939ebc929ba4dd50ca
Instruction ID: 6d2a78f92669eabb850810e17ddd8cfe300801cc2771a61c76008534e6e3e976
Opcode Fuzzy Hash: 68f5bdaa5ac1a9a5b52beb03ce69774f7982fdbd20eae3939ebc929ba4dd50ca
Instruction Fuzzy Hash: CA011E30701602CBEB39AF6D8A156AD76B2AB4135AF148D3CE45287B90DF72CA46CB51

Function 6C8960F0 Relevance: 1.5, APIs: 1, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000004,00000080,00000000), ref: 6C8960F6

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5f8a1d136847d924b2cd9affe480fedc8b668f0dfdcc6c18b2791122165c237d
Instruction ID: 92d012dfc76ad0b88f90baf039efd4199c89800c68a5b790a93b087e36e87654
Opcode Fuzzy Hash: 5f8a1d136847d924b2cd9affe480fedc8b668f0dfdcc6c18b2791122165c237d
Instruction Fuzzy Hash: 7D01E8B4A083019FC718CF0AC8D090ABBF6FFC8308F56856DA84897316C630E955CF85

Function 6C8AA6F4 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6C8A4776,00000001,?,?,?,6C8A48EF,?,?,?,6C8BE848,0000000C,6C8A49AA), ref: 6C8AA709

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: c8760113ce79f42ba6f0ed53abc50112ecca750b0113590efcad80c7c1650d89
Instruction ID: c27e7af3a813e818140018c152ed01d752f482980a7255f7647d1fcfae5d9b0d
Opcode Fuzzy Hash: c8760113ce79f42ba6f0ed53abc50112ecca750b0113590efcad80c7c1650d89
Instruction Fuzzy Hash: 39D05E72694345AADF209FB15C087673BFC938579AF144836F80CC6580E6B4C681DA84

Non-executed Functions

Function 6C89748E Relevance: 12.1, APIs: 8, Instructions: 126filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C897498
GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,6C8976D5,?,00000000,?,00000000,00000104,00000000,?,6C8BBEF4,00000000), ref: 6C8974D6

Part of subcall function 6C896DC1: __CxxThrowException@8.LIBCMT ref: 6C896DD7
Part of subcall function 6C896DC1: __EH_prolog3.LIBCMT ref: 6C896DE4

PathIsUNCW.SHLWAPI(?,00000000,?), ref: 6C897546
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C89756D
CharUpperW.USER32(00000000), ref: 6C8975A0
FindFirstFileW.KERNEL32(?,?), ref: 6C8975BC
FindClose.KERNEL32(00000000), ref: 6C8975C8
lstrlenW.KERNEL32(?), ref: 6C8975E6

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: 4bb13fb3d6df164719214ba0ff5ae8d58784d854e589048dd9eb9eea16b852eb
Instruction ID: 0012c96d05f436cee356aa7c701208ea5c66d62ca6fc9add7d76da8e6b5a6752
Opcode Fuzzy Hash: 4bb13fb3d6df164719214ba0ff5ae8d58784d854e589048dd9eb9eea16b852eb
Instruction Fuzzy Hash: CE41B6719056169BDF359F6CCE4CBEE7778AF01318F100AE9E81991591DB359E88CF10

Function 6C8A3F34 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6C8A7C6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C8A7C81
UnhandledExceptionFilter.KERNEL32(6C8BA4B8), ref: 6C8A7C8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6C8A7CA8
TerminateProcess.KERNEL32(00000000), ref: 6C8A7CAF

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f28159fb7cc65ba2d58e6e8591dd8e9aa439947a7fc0d3f0aa340341dddd6ad4
Instruction ID: 166c4680f1e70cd60ec804f02d8f57f208a21a925f387dc66b1866bd75bcd505
Opcode Fuzzy Hash: f28159fb7cc65ba2d58e6e8591dd8e9aa439947a7fc0d3f0aa340341dddd6ad4
Instruction Fuzzy Hash: D721BCB46023059FDF60DF69D1896897BF4BB0A30CB50453EE40997350E7709686EFC5

Function 6C8989B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 6C8989FC
__snwprintf_s.LIBCMT ref: 6C898A2E
LoadLibraryW.KERNEL32(?), ref: 6C898A69

Part of subcall function 6C8A5348: __getptd_noexit.LIBCMT ref: 6C8A5348

Strings

LOC, xrefs: 6C8989DC

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
String ID: LOC
API String ID: 3175857669-519433814
Opcode ID: ad86f94d6f5f2f34220cb0e04ccc2db14302f03f3fd3f17ced1b03441222c5b4
Instruction ID: ff0226ab971f02e7947ad2988e49866ae63b7ec60f1eff03ffa879c2ac069bcf
Opcode Fuzzy Hash: ad86f94d6f5f2f34220cb0e04ccc2db14302f03f3fd3f17ced1b03441222c5b4
Instruction Fuzzy Hash: AF11BB71A40309BFDB309BACCE44BEDB7FCAB42359F100C76A114A7580DBB49A49D7A1

Function 6C8A04EE Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 6C8A0514
GetKeyState.USER32(00000011), ref: 6C8A051D
GetKeyState.USER32(00000012), ref: 6C8A0526
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6C8A053C

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: State$MessageSend
String ID:
API String ID: 1440529007-0
Opcode ID: ec65fef9e30764b63e9389596474af647c9b50461104faf7157ec8d2aeb71c2f
Instruction ID: 8ed65193c3e7af6950a1545e85616dfa8bb6a7461057757eddac4c200f8b1b1d
Opcode Fuzzy Hash: ec65fef9e30764b63e9389596474af647c9b50461104faf7157ec8d2aeb71c2f
Instruction Fuzzy Hash: C0F0B4357812DFA5EA3026F94E81FE925266F85B98F0008316646BE9C0CBA1C4074560

Function 6C898BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C898BE9
GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6C898EB7,?,?), ref: 6C898C19
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6C898C2D
ConvertDefaultLocale.KERNEL32(?), ref: 6C898C69
ConvertDefaultLocale.KERNEL32(?), ref: 6C898C77
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6C898C94
ConvertDefaultLocale.KERNEL32(?), ref: 6C898CBF
ConvertDefaultLocale.KERNEL32(000003FF), ref: 6C898CC8
GetModuleHandleW.KERNEL32(ntdll.dll), ref: 6C898CE1
EnumResourceLanguagesW.KERNEL32(00000000,00000010,00000001,Function_000084C0,?), ref: 6C898CFE
ConvertDefaultLocale.KERNEL32(?), ref: 6C898D31
ConvertDefaultLocale.KERNEL32(00000000), ref: 6C898D3A
GetModuleFileNameW.KERNEL32(6C890000,?,00000105), ref: 6C898D7F
_memset.LIBCMT ref: 6C898D9F

Strings

kernel32.dll, xrefs: 6C898C02
GetSystemDefaultUILanguage, xrefs: 6C898C79
GetUserDefaultUILanguage, xrefs: 6C898C21
ntdll.dll, xrefs: 6C898CDC

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 74161e40489840127d4e2a53b5d396c18fba66cf4f3d4535f62ffb05e2ab2fc6
Instruction ID: 82bddb1cf73e51bd2cfb88398c347af2062b5002f1ec2e7db949ae012c429634
Opcode Fuzzy Hash: 74161e40489840127d4e2a53b5d396c18fba66cf4f3d4535f62ffb05e2ab2fc6
Instruction Fuzzy Hash: C3514B70D0122A9ACB70DFA99D887ADB7B4EF58304F1005EBA448E7690D7789E85CF54

Function 6C89DCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(USER32,00000000,00000000,75C04A40,6C89DE36,?,?,?,?,?,?,?,6C89FCC6,00000000,00000002,00000028), ref: 6C89DCF9
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 6C89DD15
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6C89DD2A
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 6C89DD3B
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 6C89DD4C
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 6C89DD5D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 6C89DD6E
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 6C89DD8E

Strings

MonitorFromPoint, xrefs: 6C89DD46
GetMonitorInfoW, xrefs: 6C89DD81
EnumDisplayDevicesW, xrefs: 6C89DD68
GetMonitorInfoA, xrefs: 6C89DD88
MonitorFromWindow, xrefs: 6C89DD24
GetSystemMetrics, xrefs: 6C89DD0F
USER32, xrefs: 6C89DCEF
EnumDisplayMonitors, xrefs: 6C89DD57
MonitorFromRect, xrefs: 6C89DD35

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2451437823
Opcode ID: ac0d6dd1f5419299125c157920c0e6c96a1682607d5485fd4106151154324762
Instruction ID: 546d4338fb57915801cd0d5a14129a70c5256abc7269576edd9133b1841b93f0
Opcode Fuzzy Hash: ac0d6dd1f5419299125c157920c0e6c96a1682607d5485fd4106151154324762
Instruction Fuzzy Hash: 49215E71A25165AF9B32AF788AC443ABAF4B6DB21E7218D3FD005F2B04C3B001C5DB94

Function 6C89FBD6 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 175windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C89FC05
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6C89FC28
GetWindowRect.USER32(?,?), ref: 6C89FC42
CopyRect.USER32(?,?), ref: 6C89FCA5
CopyRect.USER32(?,?), ref: 6C89FCAF
GetWindowRect.USER32(00000000,?), ref: 6C89FCB8

Part of subcall function 6C89DE96: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6C89DED6

CopyRect.USER32(?,?), ref: 6C89FCD4

Strings

(, xrefs: 6C89FC6E

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: Rect$Copy$Window$ByteCharMessageMultiParentSendWide
String ID: (
API String ID: 2332539329-3887548279
Opcode ID: 374f969627d21a8f854cfa7916f1bab275a8089fab770ea59505791c796ea206
Instruction ID: 8b221c266b8dbbab76ca4ed1ffa8f62ee44d156007f643d99c23ceda4d48b5ce
Opcode Fuzzy Hash: 374f969627d21a8f854cfa7916f1bab275a8089fab770ea59505791c796ea206
Instruction Fuzzy Hash: AE517F72A00619AFDB24CFACCE84AEEBBB9AF48358F154525F915F3640D730E905CB94

Function 6C8A19AE Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C8A19B8

Part of subcall function 6C89C050: __EH_prolog3.LIBCMT ref: 6C89C057

CallNextHookEx.USER32(?,?,?,?), ref: 6C8A19F8

Part of subcall function 6C896DC1: __CxxThrowException@8.LIBCMT ref: 6C896DD7
Part of subcall function 6C896DC1: __EH_prolog3.LIBCMT ref: 6C896DE4

_memset.LIBCMT ref: 6C8A1A51
GetClassLongW.USER32(?,000000E0), ref: 6C8A1A85
GetClassNameW.USER32(?,?,00000100), ref: 6C8A1B20
GetPropW.USER32(?,AfxOldWndProc423), ref: 6C8A1B5D
SetPropW.USER32(?,AfxOldWndProc423,?), ref: 6C8A1B6F
GetPropW.USER32(?,AfxOldWndProc423), ref: 6C8A1B77
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 6C8A1B86
CallNextHookEx.USER32(?,00000003,?,?), ref: 6C8A1BA6
UnhookWindowsHookEx.USER32(?), ref: 6C8A1BBA

Strings

AfxOldWndProc423, xrefs: 6C8A1B56, 6C8A1B5B, 6C8A1B6D, 6C8A1B75, 6C8A1B85
#32768, xrefs: 6C8A1A63, 6C8A1A68, 6C8A1B36

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: HookProp$CallClassH_prolog3Next$AtomException@8GlobalH_prolog3_LongNameThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423
API String ID: 3902210324-2141921550
Opcode ID: 574962e5a96f7672f54cf0612ad3140ab4d82e040be8cac580149d1184f6aaca
Instruction ID: 4a0769ce1510b034e58c08c616dd8a7bd7faacb6d7b40534e607620719e3e5c8
Opcode Fuzzy Hash: 574962e5a96f7672f54cf0612ad3140ab4d82e040be8cac580149d1184f6aaca
Instruction Fuzzy Hash: 0A510831500626FBCF319FA5CE48BDA7B78BF05359F0409A5F01997690EB30CA82CBA4

Function 6C8AA11F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6C8BE928,0000000C,6C8AA25A,00000000,00000000,?,6C8AA5D4,00000000,00000001,00000000,?,6C8AA89E,00000018,6C8BE978,0000000C), ref: 6C8AA131
__crt_waiting_on_module_handle.LIBCMT ref: 6C8AA13C

Part of subcall function 6C8A5BCF: Sleep.KERNEL32(000003E8,00000000,?,6C8AA082,KERNEL32.DLL,?,?,6C8AA416,00000000,?,6C8A488C,00000000,?,?,?,6C8A48EF), ref: 6C8A5BDB
Part of subcall function 6C8A5BCF: GetModuleHandleW.KERNEL32(00000000,?,6C8AA082,KERNEL32.DLL,?,?,6C8AA416,00000000,?,6C8A488C,00000000,?,?,?,6C8A48EF,?), ref: 6C8A5BE4

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6C8AA165
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 6C8AA175
__lock.LIBCMT ref: 6C8AA197
InterlockedIncrement.KERNEL32(?), ref: 6C8AA1A4
__lock.LIBCMT ref: 6C8AA1B8
___addlocaleref.LIBCMT ref: 6C8AA1D6

Strings

KERNEL32.DLL, xrefs: 6C8AA12B, 6C8AA130, 6C8AA13B
EncodePointer, xrefs: 6C8AA159
DecodePointer, xrefs: 6C8AA16D

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 35864490cbfdfea334ac33fa36d0621ff834a2dca6145cefca6c4b33c0db2a2e
Instruction ID: 3a15d910cf23427563f2f85b40ad01407f99b873da9c6b0b3878e7d8179201ab
Opcode Fuzzy Hash: 35864490cbfdfea334ac33fa36d0621ff834a2dca6145cefca6c4b33c0db2a2e
Instruction Fuzzy Hash: E2118171501705AED7308FA9CA04BDEBBE0AF44318F104D2AD4AAA3F90CB74A645DF54

Function 6C8984DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32), ref: 6C898503
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6C898520
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 6C89852D
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 6C89853A
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 6C898547

Strings

DeactivateActCtx, xrefs: 6C89853C
KERNEL32, xrefs: 6C8984FE
CreateActCtxW, xrefs: 6C89851A
ReleaseActCtx, xrefs: 6C898522
ActivateActCtx, xrefs: 6C89852F

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-2424895508
Opcode ID: 30bf3e10e28add7b2b2e7d69b91a66f1fb0d4ea13e00eafa87175ff972e03cb5
Instruction ID: 7306246522b399daf16636278e37f3bb91f28114ba540a30be6a5965dd19dae3
Opcode Fuzzy Hash: 30bf3e10e28add7b2b2e7d69b91a66f1fb0d4ea13e00eafa87175ff972e03cb5
Instruction Fuzzy Hash: 631154B2A05353EFCF30AF6E8A89486BFB4A74631DB144D3FE10993700D6309945CB91

Function 6C89A59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32,6C89A6B6), ref: 6C89A5AA
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6C89A5CB
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6C89A5DD
GetProcAddress.KERNEL32(ActivateActCtx), ref: 6C89A5EF
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6C89A601

Part of subcall function 6C896DC1: __CxxThrowException@8.LIBCMT ref: 6C896DD7
Part of subcall function 6C896DC1: __EH_prolog3.LIBCMT ref: 6C896DE4

Strings

DeactivateActCtx, xrefs: 6C89A5F1
KERNEL32, xrefs: 6C89A5A5
CreateActCtxW, xrefs: 6C89A5C5
ReleaseActCtx, xrefs: 6C89A5CD
ActivateActCtx, xrefs: 6C89A5DF

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 417325364-2424895508
Opcode ID: bd759de004b4c6f649771be1c3387bbb4f5b182baff5e5b9fbdcd7bdee0959f7
Instruction ID: 9fc1ad72895135d5f0f1c0be567d7ac7a8bf3402873b18ac7600c401ad8a6f20
Opcode Fuzzy Hash: bd759de004b4c6f649771be1c3387bbb4f5b182baff5e5b9fbdcd7bdee0959f7
Instruction Fuzzy Hash: 14F0D474E06226BACF716FB68A089857EB8A70625E7008D3FA801A3700D774990ADFC5

Function 6C89C8E2 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6C89C91F
PathFindExtensionW.SHLWAPI(?), ref: 6C89C939
__wcsdup.LIBCMT ref: 6C89C983
__wcsdup.LIBCMT ref: 6C89C9C2
__wcsdup.LIBCMT ref: 6C89CA14
__wcsdup.LIBCMT ref: 6C89CA55

Strings

.CHM, xrefs: 6C89C9F2
.INI, xrefs: 6C89CA36
.HLP, xrefs: 6C89C9F9

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: __wcsdup$ExtensionFileFindModuleNamePath
String ID: .CHM$.HLP$.INI
API String ID: 2477486372-4017452060
Opcode ID: 5d48884bc673886f116f938fd1cf17a0814f966e3b3b9408426392ae388ab4c9
Instruction ID: 40c98c92ef20aec09fbdfc32fb98286cbcc088861a6842329a60ab24adc30621
Opcode Fuzzy Hash: 5d48884bc673886f116f938fd1cf17a0814f966e3b3b9408426392ae388ab4c9
Instruction Fuzzy Hash: DB4171B19017199BDB30EB7DCA44ADAB3F8AF44308F100DB9955AD7A42EB31E984CB54

Function 6C891C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,?,?,6C891BE9,?,?,?,?), ref: 6C891C39
GetLastError.KERNEL32(?,?,?,?,?,6C891BE9,?,?,?,?), ref: 6C891C48
__aullrem.LIBCMT ref: 6C891C60
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000), ref: 6C891CE8
_memset.LIBCMT ref: 6C891CF5
SetFilePointer.KERNEL32(?,?,00000000,00000001,?,?,?,?,6C891BE9,?,?,?,?), ref: 6C891D07

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: File$Pointer$ErrorLastRead__aullrem_memset
String ID:
API String ID: 123228641-0
Opcode ID: fa3cf2da15cd8dfa3d0c684b430b113c43de5a62bbfc9639d8d1396dd6453016
Instruction ID: e1e928633e74ec35b619b78c72c26edf1f46144074e12f1fc6c61160655cbf58
Opcode Fuzzy Hash: fa3cf2da15cd8dfa3d0c684b430b113c43de5a62bbfc9639d8d1396dd6453016
Instruction Fuzzy Hash: 76514A71709701AFD760DE2DC940B9BB7ECEF88758F044A29F958E7241E770E9058BA2

Function 6C89BE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C89BE14
RtlEnterCriticalSection.NTDLL(00000000), ref: 6C89BE25
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6C89AF00,6C896DDD,6C8968AD,?,6C8A4902,?,?,?,?), ref: 6C89BE43
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6C89AF00,6C896DDD,6C8968AD,?,6C8A4902,?), ref: 6C89BE77
RtlLeaveCriticalSection.NTDLL(?), ref: 6C89BEE3
_memset.LIBCMT ref: 6C89BF02
TlsSetValue.KERNEL32(?,00000000), ref: 6C89BF13
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C89BF34

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: e4757f1174ff15ead69cc167bf6f289d700cf7335ced186766427fb837d1ca62
Instruction ID: 30efd221db2e600046af05858d011073391eb3969c7a7af6964587fc99271263
Opcode Fuzzy Hash: e4757f1174ff15ead69cc167bf6f289d700cf7335ced186766427fb837d1ca62
Instruction Fuzzy Hash: 9E317E70501606EFDB309F58CA85CAABBB5EF01318B20C93EE65A97E50CB31A955CF90

Function 6C8981FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C89815A: GetParent.USER32(?), ref: 6C8981AE
Part of subcall function 6C89815A: GetLastActivePopup.USER32(?), ref: 6C8981BF
Part of subcall function 6C89815A: IsWindowEnabled.USER32(?), ref: 6C8981D3
Part of subcall function 6C89815A: EnableWindow.USER32(?,00000000), ref: 6C8981E6

EnableWindow.USER32(?,00000001), ref: 6C898247
GetWindowThreadProcessId.USER32(?,?), ref: 6C89825B
GetCurrentProcessId.KERNEL32(?,?), ref: 6C898265
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6C89827D
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 6C8982F9
EnableWindow.USER32(00000000,00000001), ref: 6C898340

Strings

0, xrefs: 6C8982D2

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: 3d0adedaf8003f221227e9555af95e273e37ee5c3399bd1d2876cf1ae05e0662
Instruction ID: 3d9dc0f1ab24e048dfc3f1a55c98445305295bfafad58365f4b56818c1c763bb
Opcode Fuzzy Hash: 3d0adedaf8003f221227e9555af95e273e37ee5c3399bd1d2876cf1ae05e0662
Instruction Fuzzy Hash: 5E418471A4161A9FDB308FA8CD88BDA77B4FF05314F20096AE519E7641D770DA80CF91

Function 6C89DE96 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6C89DED6
SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 6C89DF00
GetSystemMetrics.USER32(00000000), ref: 6C89DF17
GetSystemMetrics.USER32(00000001), ref: 6C89DF1E
MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 6C89DF49

Strings

DISPLAY, xrefs: 6C89DF40
B, xrefs: 6C89DEE0

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: System$ByteCharMetricsMultiWide$InfoParameters
String ID: B$DISPLAY
API String ID: 381819527-3316187204
Opcode ID: 77bf5982aa1adec7e486172d36c2d51ab0ca9df6c2e07690053c3d83c349bf3b
Instruction ID: 74b796d16ecc582568fd9f939855650db7c223b82c643149c423ebac9a4eb959
Opcode Fuzzy Hash: 77bf5982aa1adec7e486172d36c2d51ab0ca9df6c2e07690053c3d83c349bf3b
Instruction Fuzzy Hash: 84212571605224ABDF308F188D85B6B7BA8EF4A764F104927FD19AB681D6B0D840CBE4

Function 6C89A200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C89A20A
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 6C89A2F0
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C89A30D
RegCloseKey.ADVAPI32(?), ref: 6C89A32D
RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 6C89A348

Strings

Software\, xrefs: 6C89A26E

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 356ccc653cba8786cde841d35c6cba6850b32f6733ad61185e87c2f931942709
Instruction ID: ff945208d15cf658a9a947ec7163a95ceef1a98f749ed42b015b85cc878fae76
Opcode Fuzzy Hash: 356ccc653cba8786cde841d35c6cba6850b32f6733ad61185e87c2f931942709
Instruction Fuzzy Hash: 9C418431D01519ABCB31DBACDD88ADEB7B9AF49318F140AE9E019A2650DB349B84CF50

Function 6C8A1861 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C8A1868
GetPropW.USER32(?,AfxOldWndProc423), ref: 6C8A1877
RemovePropW.USER32(?,AfxOldWndProc423), ref: 6C8A1900
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6C8A1907
GlobalDeleteAtom.KERNEL32(?), ref: 6C8A1911

Part of subcall function 6C8A0C2C: GetWindowRect.USER32(?,10000000), ref: 6C8A0C56

Strings

AfxOldWndProc423, xrefs: 6C8A1870, 6C8A1875, 6C8A18FE, 6C8A1906

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: AtomGlobalProp$DeleteFindH_prolog3_catchRectRemoveWindow
String ID: AfxOldWndProc423
API String ID: 1599575004-1060338832
Opcode ID: 6b784ee84c9c9e029a4ccd2827e42077dc031d2ee0f6b7ecb22173fa2fc44d81
Instruction ID: 5b4b864f8a884b465cd5a17243ac2e66d7f0d2d53ea7e391340597d92c26ce5b
Opcode Fuzzy Hash: 6b784ee84c9c9e029a4ccd2827e42077dc031d2ee0f6b7ecb22173fa2fc44d81
Instruction Fuzzy Hash: 85319F3240111AEBCF219FE9CE48DFF7B78AF0A319F040829F601A2550C735D916DBA5

Function 6C89A082 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6C89A08C
RegOpenKeyW.ADVAPI32(?,?,?), ref: 6C89A11A
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C89A13D

Part of subcall function 6C89A02D: __EH_prolog3.LIBCMT ref: 6C89A034

Strings

Software\Classes\, xrefs: 6C89A0CD

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: 4fb02e124bdb030b21a14ce44bf7028215e9ab3bac6097bf1f16b0bfc456f3f8
Instruction ID: 65cf816a3b7fef86c0ae901a2ecc565dceac08cdf4c362397540f44c11887303
Opcode Fuzzy Hash: 4fb02e124bdb030b21a14ce44bf7028215e9ab3bac6097bf1f16b0bfc456f3f8
Instruction Fuzzy Hash: 50312F31C05129AACB31ABA8DE48BDDB7B8AB09354F1406E6E95963650D7308F84DF91

Function 6C89D07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6C89D0AE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6C89D0D1
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6C89D0ED
RegCloseKey.ADVAPI32(?), ref: 6C89D0FD
RegCloseKey.ADVAPI32(?), ref: 6C89D107

Strings

software, xrefs: 6C89D096

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 50b6f3a8419fc6db6de9decca9eda9ec886449a295106a35bc75d015db248173
Instruction ID: cab8f6aa57266071ee39cd3c52125a199a7bac276ca85936a7f868f83b74eef6
Opcode Fuzzy Hash: 50b6f3a8419fc6db6de9decca9eda9ec886449a295106a35bc75d015db248173
Instruction Fuzzy Hash: 6411F872D00119FB8B21DE9ACD88DDFBFBDEFC9754B1040AAF504A2111D7319A01EBA4

Function 6C89BEAE Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL(?), ref: 6C89BEB5
__CxxThrowException@8.LIBCMT ref: 6C89BEBF

Part of subcall function 6C8A527B: RaiseException.KERNEL32(?,00000000,?,00000001), ref: 6C8A52BD

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,6C89AF00,6C896DDD,6C8968AD,?,6C8A4902,?), ref: 6C89BED6
RtlLeaveCriticalSection.NTDLL(?), ref: 6C89BEE3

Part of subcall function 6C896D89: __CxxThrowException@8.LIBCMT ref: 6C896D9F

_memset.LIBCMT ref: 6C89BF02
TlsSetValue.KERNEL32(?,00000000), ref: 6C89BF13
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6C89BF34

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 4833a9a9b44347436a899626ba3080c9270f9930ee0418482fb1142b6e124ae4
Instruction ID: f2a5430bb1761a3a70bffee11987d29a4278ab18477ddd4bd8d07711d45be252
Opcode Fuzzy Hash: 4833a9a9b44347436a899626ba3080c9270f9930ee0418482fb1142b6e124ae4
Instruction Fuzzy Hash: A8115274200605AFDB30AFA8C985C6ABBB5FF05318710C93AF65A96A21CB31AC55CF94

Function 6C89CA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000), ref: 6C89CA85
SetErrorMode.KERNEL32(00000000), ref: 6C89CA8D

Part of subcall function 6C89A698: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6C89A6D0
Part of subcall function 6C89A698: SetLastError.KERNEL32(0000006F), ref: 6C89A6E7

GetModuleHandleW.KERNEL32(user32.dll), ref: 6C89CADC
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 6C89CAEC

Part of subcall function 6C89C8E2: GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6C89C91F
Part of subcall function 6C89C8E2: PathFindExtensionW.SHLWAPI(?), ref: 6C89C939
Part of subcall function 6C89C8E2: __wcsdup.LIBCMT ref: 6C89C983
Part of subcall function 6C89C8E2: __wcsdup.LIBCMT ref: 6C89C9C2
Part of subcall function 6C89C8E2: __wcsdup.LIBCMT ref: 6C89CA14

Strings

user32.dll, xrefs: 6C89CAD7
NotifyWinEvent, xrefs: 6C89CAE6

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: ErrorModule__wcsdup$FileModeName$AddressExtensionFindHandleLastPathProc
String ID: NotifyWinEvent$user32.dll
API String ID: 3531328582-597752486
Opcode ID: b4f2456ef4c15b3fc0bd039e0677b669c8c83d092a6d7c7e736f51767770667a
Instruction ID: c4686815256e5b1e39a19bc28eed13d9b8229ae6e7c1e2a2610b11ee5740cc3d
Opcode Fuzzy Hash: b4f2456ef4c15b3fc0bd039e0677b669c8c83d092a6d7c7e736f51767770667a
Instruction Fuzzy Hash: 8701D470A002444FCB31EF6C8A04A9E3BE8EF44318B05487AF908E7B41DB31C844CFA5

Function 6C89CD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 6C89CD2E
GetSysColor.USER32(00000010), ref: 6C89CD35
GetSysColor.USER32(00000014), ref: 6C89CD3C
GetSysColor.USER32(00000012), ref: 6C89CD43
GetSysColor.USER32(00000006), ref: 6C89CD4A
GetSysColorBrush.USER32(0000000F), ref: 6C89CD57
GetSysColorBrush.USER32(00000006), ref: 6C89CD5E

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: b8ed8c20989adf55738dd7fe9ccb42db8e94635d4adb97082c93c5166aa8af7c
Instruction ID: 4c4e84a0f0e0b84bb74d9695a1eaf851410b69b7fdc0da76015ed20f7b9e3864
Opcode Fuzzy Hash: b8ed8c20989adf55738dd7fe9ccb42db8e94635d4adb97082c93c5166aa8af7c
Instruction Fuzzy Hash: 7CF0FE71A407445BDB30BB724909B47BAE1FFC4710F16092EE2458B990D6B6E441DF44

Function 6C8AC416 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6C8AC43E

Part of subcall function 6C8A4FC4: __getptd.LIBCMT ref: 6C8A4FD2
Part of subcall function 6C8A4FC4: __getptd.LIBCMT ref: 6C8A4FE0

__getptd.LIBCMT ref: 6C8AC448

Part of subcall function 6C8AA27F: __getptd_noexit.LIBCMT ref: 6C8AA282
Part of subcall function 6C8AA27F: __amsg_exit.LIBCMT ref: 6C8AA28F

__getptd.LIBCMT ref: 6C8AC456
__getptd.LIBCMT ref: 6C8AC464
__getptd.LIBCMT ref: 6C8AC46F
_CallCatchBlock2.LIBCMT ref: 6C8AC495

Part of subcall function 6C8A5069: __CallSettingFrame@12.LIBCMT ref: 6C8A50B5

Part of subcall function 6C8AC53C: __getptd.LIBCMT ref: 6C8AC54B
Part of subcall function 6C8AC53C: __getptd.LIBCMT ref: 6C8AC559

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 3320c4cb207a8cab9faae571e809c18e51644a5a2865cfd10c21ef346a0fd114
Instruction ID: 3e7b34de28b1872ba5fc3d9f2189dbc76693d0a7b1e1b26c807c91b9fb7afd63
Opcode Fuzzy Hash: 3320c4cb207a8cab9faae571e809c18e51644a5a2865cfd10c21ef346a0fd114
Instruction Fuzzy Hash: 2211E4B1800309DFDF10EFE8C644ADD7BB1BB18314F108869E814A7B51DB399A569F50

Function 6C8A2932 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C8A2962

Strings

@, xrefs: 6C8A2A6E
@, xrefs: 6C8A2B07
AfxFrameOrView90su, xrefs: 6C8A2A28
AfxMDIFrame90su, xrefs: 6C8A2A03

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90su$AfxMDIFrame90su
API String ID: 2102423945-1093365818
Opcode ID: 12c5325718a66c807f9a5f3eb68d3e60dd68d8672849b3de8cb62ab0ce6bc742
Instruction ID: 5970f75cd1fbee4af73597a961088234ee072e70bb358bd87124259ed2997c46
Opcode Fuzzy Hash: 12c5325718a66c807f9a5f3eb68d3e60dd68d8672849b3de8cb62ab0ce6bc742
Instruction Fuzzy Hash: 72916471C0120DAFDB60CFD9C684BDEBBF8AF48348F208575E919E6640E7749646C7A0

Function 6C8AC165 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6C8AC17F

Part of subcall function 6C8AA27F: __getptd_noexit.LIBCMT ref: 6C8AA282
Part of subcall function 6C8AA27F: __amsg_exit.LIBCMT ref: 6C8AA28F

__getptd.LIBCMT ref: 6C8AC190
__getptd.LIBCMT ref: 6C8AC19E

Strings

MOC, xrefs: 6C8AC171
csm, xrefs: 6C8AC178

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
Instruction ID: da8e22b7af5e13c6ad425c76b7f3924f696224209ea7d459b7bce4433f644ea0
Opcode Fuzzy Hash: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
Instruction Fuzzy Hash: EFE04F316142088FD720ABF8C245B9837A5EB69318F2509A5D40CCBB22D736D556CD42

Function 6C895670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,6C8949D6,?,00000003), ref: 6C895685
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,?,00000000,00000000), ref: 6C8956B4
GetLastError.KERNEL32 ref: 6C8956C5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 6C8956E5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,00000000,00000000), ref: 6C895709

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: 272eeacb45f0183405ff39789d136348df15f2310e7184ae665bd97d500b1d44
Instruction ID: 02207a9c57163a42f44b4a898dc2e012ae91ab6991450e19e7d9b9cfbef29d1f
Opcode Fuzzy Hash: 272eeacb45f0183405ff39789d136348df15f2310e7184ae665bd97d500b1d44
Instruction Fuzzy Hash: 5D117F75384306BBE630DE68DDC1F6B77ACEB86749F200E2DF64197281D670BC098664

Function 6C89815A Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C89819B
GetParent.USER32(?), ref: 6C8981AE
GetLastActivePopup.USER32(?), ref: 6C8981BF
IsWindowEnabled.USER32(?), ref: 6C8981D3
EnableWindow.USER32(?,00000000), ref: 6C8981E6

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: ParentWindow$ActiveEnableEnabledLastPopup
String ID:
API String ID: 2630416829-0
Opcode ID: dd25b8f1f5b3e43eb9920725a38c5fb0b5f9c29bc38b089f2d2ff49534ebec22
Instruction ID: eba8ba2899f5c523c1fe8c7feaec37747ec10ad64daeeb1470b0aaa0d6165c10
Opcode Fuzzy Hash: dd25b8f1f5b3e43eb9920725a38c5fb0b5f9c29bc38b089f2d2ff49534ebec22
Instruction Fuzzy Hash: D511C632606A23ABD7320A6E8F40B5E76BCAF45B6CF150A27ED14E7A04D770C80186D9

Function 6C89DA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?), ref: 6C89DA3D
_memset.LIBCMT ref: 6C89DA5B
GetWindowTextW.USER32(00000000,?,00000100), ref: 6C89DA75
lstrcmpW.KERNEL32(?,?,?,?), ref: 6C89DA87
SetWindowTextW.USER32(00000000,?), ref: 6C89DA93

Part of subcall function 6C896DC1: __CxxThrowException@8.LIBCMT ref: 6C896DD7
Part of subcall function 6C896DC1: __EH_prolog3.LIBCMT ref: 6C896DE4

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 75e8223dc2e40e34b7654ce4a4a5cd8116b14a0de30c55331da24f4068ef8a54
Instruction ID: 6a56c0d39e8f1cd2bfb0295bed5edf85fde6fa290a04b2d26fa4e51bc6274e35
Opcode Fuzzy Hash: 75e8223dc2e40e34b7654ce4a4a5cd8116b14a0de30c55331da24f4068ef8a54
Instruction Fuzzy Hash: 9C0188B660131967CB20DEA98D889DBB3BDEF49748F004876E915D3201DA34D90887A4

Function 6C8AFE0E Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6C8AFE1A

Part of subcall function 6C8AA27F: __getptd_noexit.LIBCMT ref: 6C8AA282
Part of subcall function 6C8AA27F: __amsg_exit.LIBCMT ref: 6C8AA28F

__amsg_exit.LIBCMT ref: 6C8AFE3A
__lock.LIBCMT ref: 6C8AFE4A
InterlockedDecrement.KERNEL32(?), ref: 6C8AFE67
InterlockedIncrement.KERNEL32(02BA2820), ref: 6C8AFE92

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 50f7990ce0874ec3c325c3cbafb6014283ce74ee2fa19090e803b811270066a0
Instruction ID: 0a8af4170da585a4dd6f93d3ab7fe54116f234d6e3d7f2478ff593a6ebbc0a7b
Opcode Fuzzy Hash: 50f7990ce0874ec3c325c3cbafb6014283ce74ee2fa19090e803b811270066a0
Instruction Fuzzy Hash: E801FE31A027219BDB319BE9860478E73B0EF1572DF510929D4106BF91C738AA97CBD5

Function 6C89DB5C Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 6C89DB6D
GetDlgCtrlID.USER32(00000000), ref: 6C89DB81
GetWindowRect.USER32(00000000,?), ref: 6C89DBA3
PtInRect.USER32(?,?,?), ref: 6C89DBB3
GetWindow.USER32(?,00000005), ref: 6C89DBC0

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: RectWindow$ClientCtrlScreen
String ID:
API String ID: 4072766398-0
Opcode ID: f5f7b1a41e27b6ed88b03eae7660055a5e41e5224977edb9d18883a079be59b4
Instruction ID: 3b8f7b05aa92dec59b20a6606df7308aab7347bc2ece1a8723d70a2ce4a01519
Opcode Fuzzy Hash: f5f7b1a41e27b6ed88b03eae7660055a5e41e5224977edb9d18883a079be59b4
Instruction Fuzzy Hash: 2E014B3220111ABBDB215B698D08EAE3B78EF4B358F044926F91196090D734D516CAD8

Function 6C8A4618 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 6C8A4636

Part of subcall function 6C8AA914: __mtinitlocknum.LIBCMT ref: 6C8AA92A
Part of subcall function 6C8AA914: __amsg_exit.LIBCMT ref: 6C8AA936
Part of subcall function 6C8AA914: RtlEnterCriticalSection.NTDLL(00000000), ref: 6C8AA93E

___sbh_find_block.LIBCMT ref: 6C8A4641
___sbh_free_block.LIBCMT ref: 6C8A4650
HeapFree.KERNEL32(00000000,00000000,6C8BE828,0000000C,6C8AA270,00000000,?,6C8AA5D4,00000000,00000001,00000000,?,6C8AA89E,00000018,6C8BE978,0000000C), ref: 6C8A4680
GetLastError.KERNEL32(?,6C8AA5D4,00000000,00000001,00000000,?,6C8AA89E,00000018,6C8BE978,0000000C,6C8AA92F,00000000,00000000,?,6C8AA32A,0000000D), ref: 6C8A4691

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 89d6e3f8ca75b6318d904e7b45f20c49755cd4b1c341e2e5a85f0134fccaef13
Instruction ID: b7f8b161d7a851d2c64d6fbf5df3b33b4c678eec7069d1e76834b49549db7d80
Opcode Fuzzy Hash: 89d6e3f8ca75b6318d904e7b45f20c49755cd4b1c341e2e5a85f0134fccaef13
Instruction Fuzzy Hash: 99018471901B15ABEF305FF59A047CE3B749F8172DF241939E01066E90CF789986CA98

Function 6C89C113 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsFree.KERNEL32(?,?,?,6C89C179), ref: 6C89C13B
GlobalHandle.KERNEL32(?), ref: 6C89C149
GlobalUnlock.KERNEL32(00000000), ref: 6C89C152
GlobalFree.KERNEL32(00000000), ref: 6C89C159
RtlDeleteCriticalSection.NTDLL ref: 6C89C163

Part of subcall function 6C89BF5D: RtlEnterCriticalSection.NTDLL(?), ref: 6C89BFBC
Part of subcall function 6C89BF5D: RtlLeaveCriticalSection.NTDLL(?), ref: 6C89BFCC
Part of subcall function 6C89BF5D: LocalFree.KERNEL32(?), ref: 6C89BFD5
Part of subcall function 6C89BF5D: TlsSetValue.KERNEL32(?,00000000), ref: 6C89BFE7

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: 8444c34e28ab3fb436d44ca9ef44b13fb63a6fcfba031f00090ce13da23a2096
Instruction ID: 20b1a53db537b9b06834e11580073eb195703a35985e737c8b92d8caabc94958
Opcode Fuzzy Hash: 8444c34e28ab3fb436d44ca9ef44b13fb63a6fcfba031f00090ce13da23a2096
Instruction Fuzzy Hash: 87F089763016029BDB306B3C9D4CE2B37B99F866687650A29F529D3642DB31D803C7B8

Function 6C8996DA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 6C8996F2
_memset.LIBCMT ref: 6C89976A
LoadBitmapW.USER32(00000000,00007FE3), ref: 6C8997E5

Strings

, xrefs: 6C89974B

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: BitmapCheckDimensionsLoadMarkMenu_memset
String ID:
API String ID: 3130454499-3916222277
Opcode ID: afd4ee26efb13d2ec25f789ffc2865ce9b1bf747d62243dbb6d334233cd45519
Instruction ID: 3b9626bd0c279e0fc4a4676c8668c6125c4c0214a0ce67f42e634cae3289930b
Opcode Fuzzy Hash: afd4ee26efb13d2ec25f789ffc2865ce9b1bf747d62243dbb6d334233cd45519
Instruction Fuzzy Hash: 0F31F471B00215AFEB308F689DC5BA97BB5FB45308F4544B6E549EB281DF309A89CB90

Function 6C8A140F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C89C220: RtlEnterCriticalSection.NTDLL(6C8C34A8), ref: 6C89C25A
Part of subcall function 6C89C220: RtlInitializeCriticalSection.NTDLL(?), ref: 6C89C26C
Part of subcall function 6C89C220: RtlLeaveCriticalSection.NTDLL(6C8C34A8), ref: 6C89C279
Part of subcall function 6C89C220: RtlEnterCriticalSection.NTDLL(?), ref: 6C89C289

Part of subcall function 6C89BB0C: __EH_prolog3_catch.LIBCMT ref: 6C89BB13

Part of subcall function 6C896DC1: __CxxThrowException@8.LIBCMT ref: 6C896DD7
Part of subcall function 6C896DC1: __EH_prolog3.LIBCMT ref: 6C896DE4

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6C8A1458
FreeLibrary.KERNEL32(?), ref: 6C8A1468

Strings

hhctrl.ocx, xrefs: 6C8A143C
HtmlHelpW, xrefs: 6C8A1452

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 2853499158-3773518134
Opcode ID: ca91909ea5e4c7d643e7f20f14f208f57b3848a3b5f6b52003c939fa7576c70d
Instruction ID: d50ec7795dba54b73fa967677e9e02a47fd61d30401a984a5d9402b8c7b11bc6
Opcode Fuzzy Hash: ca91909ea5e4c7d643e7f20f14f208f57b3848a3b5f6b52003c939fa7576c70d
Instruction Fuzzy Hash: 19018B31101706EBDB316BEDCF04B8B3BA6AB04369F048D29E45AA5E50DB31D4119A56

Function 6C8AC7C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6C8AC7D6

Part of subcall function 6C8AC731: ___BuildCatchObjectHelper.LIBCMT ref: 6C8AC767

_UnwindNestedFrames.LIBCMT ref: 6C8AC7ED
___FrameUnwindToState.LIBCMT ref: 6C8AC7FB

Strings

csm, xrefs: 6C8AC7D2, 6C8AC7E7, 6C8AC7FA, 6C8AC818, 6C8AC828

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction ID: f9fdb863686034518be1aec6f9500cdf0fec8c03a4e6b81fde6a6b1e26995b9e
Opcode Fuzzy Hash: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction Fuzzy Hash: 6D01FB32001109BBDF226F99CE44EEA7F6AFF49358F104420FD2855A21DB32D5B2DBA1

Function 6C8AED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,6C8A77D7), ref: 6C8AED7C
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 6C8AED8C

Strings

KERNEL32, xrefs: 6C8AED77
IsProcessorFeaturePresent, xrefs: 6C8AED86

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: dc4abc325c3717097f40320b850e9f1251437de81adb751ca73f87e3ace4d178
Instruction ID: b4b68fe3d124ba520e854a03c25752a628b25571d42676df8cf78ca9a54388f6
Opcode Fuzzy Hash: dc4abc325c3717097f40320b850e9f1251437de81adb751ca73f87e3ace4d178
Instruction Fuzzy Hash: 01F0122060190AE2DF201BE59E196AE7B79BB8174AF420D90D1A5B0584DF318071D389

Function 6C897D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C897D88
GetFileTime.KERNEL32(?,?,?,?), ref: 6C897DBF
GetFileSizeEx.KERNEL32(?,?), ref: 6C897DD7

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: File$SizeTime_memset
String ID:
API String ID: 151880914-0
Opcode ID: d90da86df14aae76d478e3d5396535ce1c964ca204f4c9fc08f04405c8c44b0c
Instruction ID: 888ad743e803605a3fe438532c8619ae3b301a762c93f4f70b99e688d0d444a4
Opcode Fuzzy Hash: d90da86df14aae76d478e3d5396535ce1c964ca204f4c9fc08f04405c8c44b0c
Instruction Fuzzy Hash: 7E510D715046059FDB24CF69CA40D9AB7F8FF09714B148E2EE5A6D3A90E730E944CB64

Function 6C8B081B Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6C8B084F
__isleadbyte_l.LIBCMT ref: 6C8B0883
MultiByteToWideChar.KERNEL32(00000080,00000009,6C8A40D8,6C8BBF84,00000000,00000000,?,?,?,?,6C8A40D8,00000000,?), ref: 6C8B08B4
MultiByteToWideChar.KERNEL32(00000080,00000009,6C8A40D8,00000001,00000000,00000000,?,?,?,?,6C8A40D8,00000000,?), ref: 6C8B0922

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 53c3dd0069c579c0c661bea63ec7675733ee38d97e3c939a82799bfb1d89304b
Instruction ID: f2f416c35cbc59ac7ffb2d795303e6522cdefc54975ccf08262dbba846278b52
Opcode Fuzzy Hash: 53c3dd0069c579c0c661bea63ec7675733ee38d97e3c939a82799bfb1d89304b
Instruction Fuzzy Hash: EF31C8719012DAEFDB20CF64CF809AE3BB5BF01314F144969E464AB7A1DB30DA41DB90

Function 6C8988C8 Relevance: 6.1, APIs: 4, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 6C8988E7
lstrcmpW.KERNEL32(00000000,?), ref: 6C8988F4
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6C89892E
GlobalLock.KERNEL32(00000000), ref: 6C898938

Part of subcall function 6C89DAD1: GlobalFlags.KERNEL32(?), ref: 6C89DAE0
Part of subcall function 6C89DAD1: GlobalUnlock.KERNEL32(?), ref: 6C89DAF2
Part of subcall function 6C89DAD1: GlobalFree.KERNEL32(?), ref: 6C89DAFD

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: Global$Lock$AllocFlagsFreeUnlocklstrcmp
String ID:
API String ID: 2391069079-0
Opcode ID: f4e10ead209d3bac231324994e87c14b6297a2a728e9290844f887109690f5f4
Instruction ID: a8278c6b85c86dd1270c9942e9883d070234eee984453941cdd9a8587b091f14
Opcode Fuzzy Hash: f4e10ead209d3bac231324994e87c14b6297a2a728e9290844f887109690f5f4
Instruction Fuzzy Hash: 54118F71500A05BFCB325BA9CD88CAF7BFDFB85B08B10082AFA05E2620D731D910D760

Function 6C89BF5D Relevance: 6.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 6C89BFBC
RtlLeaveCriticalSection.NTDLL(?), ref: 6C89BFCC
LocalFree.KERNEL32(?), ref: 6C89BFD5
TlsSetValue.KERNEL32(?,00000000), ref: 6C89BFE7

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 9c321ec606bb40ef09bc382f9aa253e706fc34b27944ccb3a6afab3a74548755
Instruction ID: c0b16daa6f5acb4f67f300bba7af6c7c942c5820004601d3837db0bbd966d3fb
Opcode Fuzzy Hash: 9c321ec606bb40ef09bc382f9aa253e706fc34b27944ccb3a6afab3a74548755
Instruction Fuzzy Hash: 94115671601605EFD734CF58C984F6AB7B8FF46319F20882AE1578BAA1CB71A840CF50

Function 6C898EC9 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C898ED0

Part of subcall function 6C899C7C: __EH_prolog3.LIBCMT ref: 6C899C83

__wcsdup.LIBCMT ref: 6C898EF2
GetCurrentThread.KERNEL32 ref: 6C898F1F
GetCurrentThreadId.KERNEL32 ref: 6C898F28

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__wcsdup
String ID:
API String ID: 190065205-0
Opcode ID: df82f62d555ac0b9776dc06a09242f271098971ecb96c439b16123e4286659e6
Instruction ID: 7776802235176a39efefd84501a7481d3a51d7c6845dcba5b5f3b774c3c3c435
Opcode Fuzzy Hash: df82f62d555ac0b9776dc06a09242f271098971ecb96c439b16123e4286659e6
Instruction Fuzzy Hash: 3A216CB0901B458FC7718F6E864568AFAE8BFA4704F108D2FD1AAC7B21DBB5A045CF45

Function 6C8A1D07 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C8A1D33
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C8A1D5E
GetCapture.USER32 ref: 6C8A1D70
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C8A1D7F

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: cc8327cc3e0204de4279df88357f3708bff8021c1a7736af1523193119339526
Instruction ID: 6abc0d34f400a54387f6062fccc5cafb8611ce221c2f9ab6b0b6bbc2befb8fd8
Opcode Fuzzy Hash: cc8327cc3e0204de4279df88357f3708bff8021c1a7736af1523193119339526
Instruction Fuzzy Hash: 790171313502947BDF301BA68DCDFDB3E7ADFCEB15F110478B6059A1E6CAA18805DA60

Function 6C896A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C896A8A

Part of subcall function 6C8968E2: _malloc.LIBCMT ref: 6C896900

__CxxThrowException@8.LIBCMT ref: 6C896AC0
FormatMessageW.KERNEL32(00001100,00000000,?,00000800,6C8916A6,00000000,00000000,?,?,6C8BD898,00000004,6C8916A6,00000000,6C8969F9,00000000), ref: 6C896AEA
LocalFree.KERNEL32(6C8916A6,6C8916A6,00000000,6C8969F9,00000000), ref: 6C896B12

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: 2e7cdc7346e70c9959d32f9cd3759f7c60c4062a5982b2e799d2456e16586b74
Instruction ID: 472a563c4d7c5a4eea4653a542e24b44a879f0cdc754842bf12e7df512f8d164
Opcode Fuzzy Hash: 2e7cdc7346e70c9959d32f9cd3759f7c60c4062a5982b2e799d2456e16586b74
Instruction Fuzzy Hash: CF114C7164020AAFDF149FACCE40AAA7BB5EF48314F24C939B525DA690E73189509B94

Function 6C89D159 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 6C89D194
RegCloseKey.ADVAPI32(00000000), ref: 6C89D19D
swprintf.LIBCMT ref: 6C89D1BA
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C89D1CB

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: 91dc12f8218bac324db83003c211cf4ebb383c66c4623ed39ec988ad3c0b2678
Instruction ID: bf1aea4188f773eb5daeeda58d37b179c3cea9ff5d5440d2f6063cce188256a7
Opcode Fuzzy Hash: 91dc12f8218bac324db83003c211cf4ebb383c66c4623ed39ec988ad3c0b2678
Instruction Fuzzy Hash: BC01657260120DABDB209F688D45FAFB7BCAF49758F10082AF911A7640DB75ED0587A4

Function 6C897287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6C8968E2: _malloc.LIBCMT ref: 6C896900

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6C8972BB
GetCurrentProcess.KERNEL32(?,00000000), ref: 6C8972C1
DuplicateHandle.KERNEL32(00000000), ref: 6C8972C4
GetLastError.KERNEL32(?), ref: 6C8972DF

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: e6076de5981e7cc2aa0de2533d10a758ed901022e1f78846b0911c4117aa7390
Instruction ID: ac38b4fe200f74e8366957406bdf1e7c5a25bee24ab624fd02c9b46512d6def9
Opcode Fuzzy Hash: e6076de5981e7cc2aa0de2533d10a758ed901022e1f78846b0911c4117aa7390
Instruction Fuzzy Hash: 51018831700605BBDB209BADCD49F5A7BA9DF85754F144829F505DB681EF71DC00C760

Function 6C8A0F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 6C8A0F9D
GetTopWindow.USER32(00000000), ref: 6C8A0FDC
GetWindow.USER32(00000000,00000002), ref: 6C8A0FFA

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 8c5c144595c652748428e3d9de1915c401a97f60b93c7aa10959f886fbeb1f92
Instruction ID: ebeb2d90bdd639784f3c92590677045186c33583b6ea4e41d3d85fed6861691e
Opcode Fuzzy Hash: 8c5c144595c652748428e3d9de1915c401a97f60b93c7aa10959f886fbeb1f92
Instruction Fuzzy Hash: F1018C3200565ABBCF221FD58E08EDF3F26AF4D399F004421FA1261560C736C532EBA5

Function 6C8AEC63 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6C8AEC89

Part of subcall function 6C8AEAAE: __fltout2.LIBCMT ref: 6C8AEADA

__cftog_l.LIBCMT ref: 6C8AECAF
__cftoe_l.LIBCMT ref: 6C8AECE1

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: a18d6a13e0d1c761d10264d2e28ef20481bfdd1f82d6d827cd4a194d4c965ed8
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 6C11727245014EBBCF225FC4CE018DD3F62BB19358F158C14FA2855530D736C6B2AB81

Function 6C8A03CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6C8A03DC
GetTopWindow.USER32(00000000), ref: 6C8A03EF

Part of subcall function 6C8A03CF: GetWindow.USER32(00000000,00000002), ref: 6C8A0436

GetTopWindow.USER32(?), ref: 6C8A041F

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 337e0bddee2fb9fa83ba351097ef2f17e5fd54b03fed4dd729f8793a91f1d9c7
Instruction ID: 26a4de6a7b7a418da6f0bb70b7822f156e06314926f60a6cd6d7635e795ef4c1
Opcode Fuzzy Hash: 337e0bddee2fb9fa83ba351097ef2f17e5fd54b03fed4dd729f8793a91f1d9c7
Instruction Fuzzy Hash: CC01B13610759A6FCB322EA68E04E8F3B29BF4539DF048931FD1995501D731C51386D6

Function 6C89CD66 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 6C89CD75
GetSystemMetrics.USER32(0000000C), ref: 6C89CD7C
GetSystemMetrics.USER32(00000002), ref: 6C89CD83
GetSystemMetrics.USER32(00000003), ref: 6C89CD8D

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 9b5f5449f8b47f67c1634a75eb74484cc4ac87ff07650bb8fdb58a31828e1ed4
Instruction ID: a5b8e042bc610044724eb98231dbb3cf0d2c7829a42932ddb0030a700392e16d
Opcode Fuzzy Hash: 9b5f5449f8b47f67c1634a75eb74484cc4ac87ff07650bb8fdb58a31828e1ed4
Instruction Fuzzy Hash: 3EF06DB1F40715BAEB205B728C49F667F78EB46765F004527E6058B280CAB59801CFD0

Function 6C89C220 Relevance: 6.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(6C8C34A8), ref: 6C89C25A
RtlInitializeCriticalSection.NTDLL(?), ref: 6C89C26C
RtlLeaveCriticalSection.NTDLL(6C8C34A8), ref: 6C89C279
RtlEnterCriticalSection.NTDLL(?), ref: 6C89C289

Part of subcall function 6C896DC1: __CxxThrowException@8.LIBCMT ref: 6C896DD7
Part of subcall function 6C896DC1: __EH_prolog3.LIBCMT ref: 6C896DE4

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: d845d2f6c2a51eb38dedfdd91e6965dc496f07872bba0cff07357a46fe4c58ef
Instruction ID: 7410a8ea3960beb7f0f4d5b6d0c0c55c6b0348d5105bf4c6724d453a30d7da4c
Opcode Fuzzy Hash: d845d2f6c2a51eb38dedfdd91e6965dc496f07872bba0cff07357a46fe4c58ef
Instruction Fuzzy Hash: 98F0C8322001056FCA301BDD9D857857B79EBE2319F150C26E11443902CB35D942C5E6

Function 6C89BA5B Relevance: 6.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(6C8C32EC), ref: 6C89BA69
TlsGetValue.KERNEL32(6C8C32D0,?,?,?,?,6C89C0B7,?,00000004,6C89AF00,6C896DDD,6C8968AD,?,6C8A4902,?), ref: 6C89BA7D
RtlLeaveCriticalSection.NTDLL(6C8C32EC), ref: 6C89BA93
RtlLeaveCriticalSection.NTDLL(6C8C32EC), ref: 6C89BA9E

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 05669f309a311cd3a94b59eaa7642662428918c7e2c556bfa4ef155d41542c78
Instruction ID: 4e38c9e843679a65ede05ec3c42dd5b3502a8cc07cdf514dfcb04a2ad873771e
Opcode Fuzzy Hash: 05669f309a311cd3a94b59eaa7642662428918c7e2c556bfa4ef155d41542c78
Instruction Fuzzy Hash: 33F05E763062059FD7308F5CC988C1AF7FDEB853A831A4836E65D93601D630F846DBA0

Function 6C8B057A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6C8B0586

Part of subcall function 6C8AA27F: __getptd_noexit.LIBCMT ref: 6C8AA282
Part of subcall function 6C8AA27F: __amsg_exit.LIBCMT ref: 6C8AA28F

__getptd.LIBCMT ref: 6C8B059D
__amsg_exit.LIBCMT ref: 6C8B05AB
__lock.LIBCMT ref: 6C8B05BB

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 4009ebf5eda3db761a600fc070536e49e6079434bb9a29f078aaae0a646372bb
Instruction ID: 8029a4edbef8ef23b4ba8c33288a99a37188de2e0d9a8676b13c12ad56446c4f
Opcode Fuzzy Hash: 4009ebf5eda3db761a600fc070536e49e6079434bb9a29f078aaae0a646372bb
Instruction Fuzzy Hash: E3F06DB2901B148FDA30AFAC8705BC932A06B00728F514D699450B7FA0CB78A64ACF51

Function 6C8A020C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C8A029B
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6C8A02C4

Strings

,, xrefs: 6C8A02BA

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: MessageSend_memset
String ID: ,
API String ID: 1827994538-3772416878
Opcode ID: df3ef745ea1d58794270897cea7cf0f748eba3a3d916f40978c3d53784afcba0
Instruction ID: dddfb26afab66cf51a9193b687c5dcac5ae22a62ffcd03cae2ba7dcb3326731f
Opcode Fuzzy Hash: df3ef745ea1d58794270897cea7cf0f748eba3a3d916f40978c3d53784afcba0
Instruction Fuzzy Hash: 6F31CE306017509FDB219FF9CA84A9DB7F4BF49318F200A3DE55697A90DB30E805CB94

Function 6C89A698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 6C89A59C: GetModuleHandleW.KERNEL32(KERNEL32,6C89A6B6), ref: 6C89A5AA
Part of subcall function 6C89A59C: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6C89A5CB
Part of subcall function 6C89A59C: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6C89A5DD
Part of subcall function 6C89A59C: GetProcAddress.KERNEL32(ActivateActCtx), ref: 6C89A5EF
Part of subcall function 6C89A59C: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6C89A601

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6C89A6D0
SetLastError.KERNEL32(0000006F), ref: 6C89A6E7

Strings

, xrefs: 6C89A705

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: AddressProc$Module$ErrorFileHandleLastName
String ID:
API String ID: 2524245154-3916222277
Opcode ID: 9001ba3ae5798f97f67e1159ccc896fd1b0a2372c9eced45d09c29ab6b5cb8a8
Instruction ID: cdcae920ed24d3714d28682f287805ce1a433bf6e64eb19f0fd82a1cb000073e
Opcode Fuzzy Hash: 9001ba3ae5798f97f67e1159ccc896fd1b0a2372c9eced45d09c29ab6b5cb8a8
Instruction Fuzzy Hash: F9215070D00218AEDB30DF79C9987DEB7B4BF05328F508AADD069D6280DB749A89DF50

Function 6C898E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6C898E78
PathFindExtensionW.SHLWAPI(?), ref: 6C898E8E

Part of subcall function 6C898BDF: __EH_prolog3_GS.LIBCMT ref: 6C898BE9
Part of subcall function 6C898BDF: GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6C898EB7,?,?), ref: 6C898C19
Part of subcall function 6C898BDF: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6C898C2D
Part of subcall function 6C898BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6C898C69
Part of subcall function 6C898BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6C898C77
Part of subcall function 6C898BDF: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6C898C94
Part of subcall function 6C898BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6C898CBF
Part of subcall function 6C898BDF: ConvertDefaultLocale.KERNEL32(000003FF), ref: 6C898CC8
Part of subcall function 6C898BDF: GetModuleFileNameW.KERNEL32(6C890000,?,00000105), ref: 6C898D7F

Strings

%s%s.dll, xrefs: 6C898E99

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: d069dae87a525abac206443c9d1c3a9fd10900b7bd2185278c8bbe66465336a9
Instruction ID: 36dc57b2ae14d8213576c4b0a8b2ecb5c4861edbf6578ab076363e3141d73e47
Opcode Fuzzy Hash: d069dae87a525abac206443c9d1c3a9fd10900b7bd2185278c8bbe66465336a9
Instruction Fuzzy Hash: 9F018672A11519AFCB21DBACD985DEFB7F9FF4A304F01087AA505EB240DA70DA05CB94

Function 6C8AC53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C8A5017: __getptd.LIBCMT ref: 6C8A501D
Part of subcall function 6C8A5017: __getptd.LIBCMT ref: 6C8A502D

__getptd.LIBCMT ref: 6C8AC54B

Part of subcall function 6C8AA27F: __getptd_noexit.LIBCMT ref: 6C8AA282
Part of subcall function 6C8AA27F: __amsg_exit.LIBCMT ref: 6C8AA28F

__getptd.LIBCMT ref: 6C8AC559

Strings

csm, xrefs: 6C8AC567

Memory Dump Source

Source File: 00000002.00000002.1823207048.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true

Associated: 00000002.00000002.1823187912.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1823353967.000000006C8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6c890000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
Instruction ID: 551bc56631350844f346044f3842dde22f65958ee53ff45ccbcb55526cc76700
Opcode Fuzzy Hash: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
Instruction Fuzzy Hash: AF018B708053018BCF30AFE6C64069EBFB5BF10218F640C2EE4509AE52EB328A96DF41

Analysis Process: DZIPR.exePID: 7056, Parent PID: 1044COMMON

Executed Functions

Function 6F8963F0 Relevance: 4.7, APIs: 3, Instructions: 239
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6F896602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6F89663B
VirtualProtect.KERNELBASE(?,?,?,00000000,?), ref: 6F896654

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 6f0aacfc2c187fce142084fc89317a85915c6eb7af70b71572f7478fbcdfd530
Instruction ID: 003e144786f6e58125a7a595472bc8fd4105e5060ead9cdf47d48a4cf7e4949f
Opcode Fuzzy Hash: 6f0aacfc2c187fce142084fc89317a85915c6eb7af70b71572f7478fbcdfd530
Instruction Fuzzy Hash: 98A1BD306087558FC315CF6CC89066AFBE2BFCA304F0989AEE8959B256D731E955CBC1

Function 6F895CA0 Relevance: 3.4, APIs: 2, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: LibraryLoad_memset
String ID:
API String ID: 2997193564-0
Opcode ID: ef81d5b86e1abce2a70dfb6e3ee866cd389735145dc0944f1b217b9e8cc4b2da
Instruction ID: 971c97aba5517516d62903588c51ebaf75fe51d2e92291242992ebc006a3c803
Opcode Fuzzy Hash: ef81d5b86e1abce2a70dfb6e3ee866cd389735145dc0944f1b217b9e8cc4b2da
Instruction Fuzzy Hash: 02E16BB0A08B069FC718CF1DC49062AFBE1FF89314F5589AEE8999B351D730B955CB81

Function 6F895E70 Relevance: 1.5, APIs: 1, Instructions: 248
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000000,007F50EB), ref: 6F895ECA

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 1163dfc213c13d9f4ebba4199dea4c4d0f43a890a7a2f9df981bc2cb0749085a
Instruction ID: 71e5f7b257e959065475d92519b46ee5544d96d97bed26fb8277d2059c34085c
Opcode Fuzzy Hash: 1163dfc213c13d9f4ebba4199dea4c4d0f43a890a7a2f9df981bc2cb0749085a
Instruction Fuzzy Hash: 49A170706087168FCB08CF2CC5D062AB7E2BF89315F54899EE8969B356D730B965CBC1

Function 6F89BC4E Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(6F8C32EC), ref: 6F89BC61
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,6F8C32D0,6F8C32D0,?,6F89C0A4,00000004,6F89AF00,6F896DDD,6F8968AD,?,6F8A4902,?), ref: 6F89BCB7
GlobalHandle.KERNEL32(00E6C770), ref: 6F89BCC0
GlobalUnlock.KERNEL32(00000000), ref: 6F89BCCA
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 6F89BCE3
GlobalHandle.KERNEL32(00E6C770), ref: 6F89BCF5
GlobalLock.KERNEL32(00000000), ref: 6F89BCFC
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6F89BD05
GlobalLock.KERNEL32(00000000), ref: 6F89BD11
_memset.LIBCMT ref: 6F89BD2B
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6F89BD59

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 39b13a67e216287b86500ef8ebcc15c6084ee9b0b275830ff20113c43d08b359
Instruction ID: 23a0ce2770c6de47268b89d0bdc253fe992c77867465488a5eaf7aa811c7bbb7
Opcode Fuzzy Hash: 39b13a67e216287b86500ef8ebcc15c6084ee9b0b275830ff20113c43d08b359
Instruction Fuzzy Hash: C631E071A04B06AFDB248F6CC889A4A7BF9FF41314B044DAEE652DB640DB30F941CB90

Function 6F8964E0 Relevance: 4.7, APIs: 3, Instructions: 151
librarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000), ref: 6F896602
VirtualProtect.KERNELBASE(?,?,00000040,00000000), ref: 6F89663B

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: LibraryLoadProtectVirtual
String ID:
API String ID: 3279857687-0
Opcode ID: 1ef0e04817065eb4736f48531155d31efaa0a47aae4a88dc0b0b5d3156e091a8
Instruction ID: ff4d67c181720782c429c8022bcfc145f9fb15a9fa6b8914ab12bc1f6bae4221
Opcode Fuzzy Hash: 1ef0e04817065eb4736f48531155d31efaa0a47aae4a88dc0b0b5d3156e091a8
Instruction Fuzzy Hash: 0851D1306087558FC715CF1CC8D062AFBE6AFCA308F1989AEE8854B316C631E946CBD1

Function 6F896750 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6F8BC168), ref: 6F896300

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c8cb43c2869fc21107a4bb9c21c97de207f76bde4b08a66ebfe633a99588b040
Instruction ID: 5497f634f414a0ebd413398351aa586b08cc1665d92806baaada37cdf20fd207
Opcode Fuzzy Hash: c8cb43c2869fc21107a4bb9c21c97de207f76bde4b08a66ebfe633a99588b040
Instruction Fuzzy Hash: 8F4180316087058FC708CF1DC89066AB7E6FFC6314F1989ADA8899B315D631F855DBC1

Function 6F8962D0 Relevance: 1.6, APIs: 1, Instructions: 97
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,6F8BC168), ref: 6F896300

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 89314ee9aa49c183c4e84f3cb910e2e8daf892f9812eb586e2da95fbaa988f73
Instruction ID: f5ad114ff3fc6c40932611ad3bfa2f99b694ccd4510844e261ee98f849baca7d
Opcode Fuzzy Hash: 89314ee9aa49c183c4e84f3cb910e2e8daf892f9812eb586e2da95fbaa988f73
Instruction Fuzzy Hash: FA31AE31A08B068FC718CF19C89466AB7E2FFC6314F1989ADE8965B316D630F855CBC1

Function 6F89C050 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6F89C057

Part of subcall function 6F896DC1: __CxxThrowException@8.LIBCMT ref: 6F896DD7
Part of subcall function 6F896DC1: __EH_prolog3.LIBCMT ref: 6F896DE4

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: 4e7cfe7c913baafed5de1200db9e14fc7112ae82bab233604d5f97d5417aff1b
Instruction ID: 81f52702e97eb723a133f6f5e6acfbfe7c53c1c0ccb0bf5fd628c69e65f0d871
Opcode Fuzzy Hash: 4e7cfe7c913baafed5de1200db9e14fc7112ae82bab233604d5f97d5417aff1b
Instruction Fuzzy Hash: 19011A30601703ABEF19AF6C881566D76A2AF42365F108DEDE4528F2D0DF72DA52CB51

Function 6F8960F0 Relevance: 1.5, APIs: 1, Instructions: 33
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000004,00000080,00000000), ref: 6F8960F6

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9a408965029ea9c11fac01d9986274c265f6889a0c4e1455ebd34abeafcfd108
Instruction ID: 741a983c684667644d1cf8051baf246afc7511f2db2118fa1f7440a7df2b54ff
Opcode Fuzzy Hash: 9a408965029ea9c11fac01d9986274c265f6889a0c4e1455ebd34abeafcfd108
Instruction Fuzzy Hash: 4001E8B4A087019FC718CF0AC8D090ABBE6FFC9314F5685ADA84897316C630E855CF85

Function 6F8AA6F4 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6F8A4776,00000001,?,?,?,6F8A48EF,?,?,?,6F8BE848,0000000C,6F8A49AA), ref: 6F8AA709

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 04a03a4151554c5d784c3ad879ff3add9ca0e1fd2511a439b0da0055f9d4bacc
Instruction ID: 1d458078bd5aee3c8715d19f8f383e5d19a3b0b886592d7a3f199df466a6618e
Opcode Fuzzy Hash: 04a03a4151554c5d784c3ad879ff3add9ca0e1fd2511a439b0da0055f9d4bacc
Instruction Fuzzy Hash: 82D05E72598745AADF009F755C087263BECD7857A6F1448B5F80CCA180E6B0D5A1CA84

Non-executed Functions

Function 6F89748E Relevance: 12.1, APIs: 8, Instructions: 126filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6F897498
GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,6F8976D5,?,00000000,?,00000000,00000104,00000000,?,6F8BBEF4,00000000), ref: 6F8974D6

Part of subcall function 6F896DC1: __CxxThrowException@8.LIBCMT ref: 6F896DD7
Part of subcall function 6F896DC1: __EH_prolog3.LIBCMT ref: 6F896DE4

PathIsUNCW.SHLWAPI(?,00000000,?), ref: 6F897546
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6F89756D
CharUpperW.USER32(00000000), ref: 6F8975A0
FindFirstFileW.KERNEL32(?,?), ref: 6F8975BC
FindClose.KERNEL32(00000000), ref: 6F8975C8
lstrlenW.KERNEL32(?), ref: 6F8975E6

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: ec3415edc1c345697906c283c5cda2602787a03ba3750c53e555410139ed4e65
Instruction ID: c3792f46bfcd13e07062c7cda9884284b5db5b874294c6de34ebada946bb3493
Opcode Fuzzy Hash: ec3415edc1c345697906c283c5cda2602787a03ba3750c53e555410139ed4e65
Instruction Fuzzy Hash: 9D41C67190871AABDF199F7CCC8CBAE7B78AF01314F000AD9E82999191DB359E95CF50

Function 6F8A2932 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6F8A2962

Strings

AfxMDIFrame90su, xrefs: 6F8A2A03
@, xrefs: 6F8A2B07
@, xrefs: 6F8A2A6E
AfxFrameOrView90su, xrefs: 6F8A2A28

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90su$AfxMDIFrame90su
API String ID: 2102423945-1093365818
Opcode ID: 0847d195dd83011e56615ce1582dc8d5baf280c5806e5e8098fba8caf8f1da94
Instruction ID: 6c7f12c82362954ca1ffa25ceb834f4e39775f40de755e409e9b77d728469d4c
Opcode Fuzzy Hash: 0847d195dd83011e56615ce1582dc8d5baf280c5806e5e8098fba8caf8f1da94
Instruction Fuzzy Hash: 1E910E71D0030DBEDB50CFA9C585BDEBBE8EF48348F1095A6E918EA180E7799645C7A0

Function 6F8A3F34 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6F8A7C6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6F8A7C81
UnhandledExceptionFilter.KERNEL32(6F8BA4B8), ref: 6F8A7C8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6F8A7CA8
TerminateProcess.KERNEL32(00000000), ref: 6F8A7CAF

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: bd132acd10a4b2d6728c6dadbdb1aedebc9bc18c2d73a69c15a4e72cfe3b815a
Instruction ID: c8b5483f7e2cef3f59aad3f684d2c66844eba9e0d594967637981ca47e0d9665
Opcode Fuzzy Hash: bd132acd10a4b2d6728c6dadbdb1aedebc9bc18c2d73a69c15a4e72cfe3b815a
Instruction Fuzzy Hash: 1D21CBB4806B05AFDF40DF29D8896497BF4FB0A324F9045DAE5098F390E7B159A6CF81

Function 6F8989B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 6F8989FC
__snwprintf_s.LIBCMT ref: 6F898A2E
LoadLibraryW.KERNEL32(?), ref: 6F898A69

Part of subcall function 6F8A5348: __getptd_noexit.LIBCMT ref: 6F8A5348

Strings

LOC, xrefs: 6F8989DC

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
String ID: LOC
API String ID: 3175857669-519433814
Opcode ID: 6ac0b1ba8a5b9e682991826e59d82d06035f7f78b42f68808a09521dd87e7336
Instruction ID: 67b403b082af209ff36cbbf026fa13efa013406dd2b4b70dc5d186a4eece099a
Opcode Fuzzy Hash: 6ac0b1ba8a5b9e682991826e59d82d06035f7f78b42f68808a09521dd87e7336
Instruction Fuzzy Hash: 6511D571A55309BEDB109B7CCC45BAD77ECEB42319F400CE5A110AF0C0DBB59A44C7A1

Function 6F8A04EE Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6F8A2C57: GetWindowLongW.USER32(?,000000F0), ref: 6F8A2C62

GetKeyState.USER32(00000010), ref: 6F8A0514
GetKeyState.USER32(00000011), ref: 6F8A051D
GetKeyState.USER32(00000012), ref: 6F8A0526
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6F8A053C

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 6a9346b889d1bc3e60a32e7dff313c5f38ead5a77878c15b05463b17a875aef4
Instruction ID: 8fe995fb9db06cacf8e5353266a1f44189f06e5008b16cbf18e199c371d382b0
Opcode Fuzzy Hash: 6a9346b889d1bc3e60a32e7dff313c5f38ead5a77878c15b05463b17a875aef4
Instruction Fuzzy Hash: 49F0893578079FB5EA14267D4D81FF92526EF85BD4F002CB26655BE0D4CFA3D4128670

Function 6F89E5F6 Relevance: 3.0, APIs: 2, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 6F89E61F
CallWindowProcW.USER32(?,?,?,?,?), ref: 6F89E634

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Window$CallNtdllProcProc_
String ID:
API String ID: 1646280189-0
Opcode ID: 69bda81817956052ab26b4cbeda10e9c1730d2dd0a7c648fa532bcb6abc921ca
Instruction ID: f309a8989eefb43cce9dd2e4a0de0b090a0e629014a38f29c2edc21b41bd4306
Opcode Fuzzy Hash: 69bda81817956052ab26b4cbeda10e9c1730d2dd0a7c648fa532bcb6abc921ca
Instruction Fuzzy Hash: E3F09E36104605EBCF125F99D804D967FB5FF0D761B048459F9598A520D732E421EB54

Function 6F8A0D95 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e0d7b8c7fc5efe0318f77f02e9c077c3c5977bfaebe6bc412c489222ff5a1a
Instruction ID: 72465f642d04ba44233de79b981ed894b6652fbc52afb1d3f925b5ea22a1d79e
Opcode Fuzzy Hash: 68e0d7b8c7fc5efe0318f77f02e9c077c3c5977bfaebe6bc412c489222ff5a1a
Instruction Fuzzy Hash: 33F01C3344562DBBCF025EA58D04DDB3B6AEF09365B009991FA64AD050C732E531DBA2

Function 6F898BDF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6F898BE9
GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6F898EB7,?,?), ref: 6F898C19
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6F898C2D
ConvertDefaultLocale.KERNEL32(?), ref: 6F898C69
ConvertDefaultLocale.KERNEL32(?), ref: 6F898C77
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6F898C94
ConvertDefaultLocale.KERNEL32(?), ref: 6F898CBF
ConvertDefaultLocale.KERNEL32(000003FF), ref: 6F898CC8
GetModuleHandleW.KERNEL32(ntdll.dll), ref: 6F898CE1
EnumResourceLanguagesW.KERNEL32(00000000,00000010,00000001,Function_000084C0,?), ref: 6F898CFE
ConvertDefaultLocale.KERNEL32(?), ref: 6F898D31
ConvertDefaultLocale.KERNEL32(00000000), ref: 6F898D3A
GetModuleFileNameW.KERNEL32(6F890000,?,00000105), ref: 6F898D7F
_memset.LIBCMT ref: 6F898D9F

Strings

GetUserDefaultUILanguage, xrefs: 6F898C21
kernel32.dll, xrefs: 6F898C02
ntdll.dll, xrefs: 6F898CDC
GetSystemDefaultUILanguage, xrefs: 6F898C79

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 9aa598e1714b6cf0712a60c4d2d2698704635bce45fe4ae218a0d703e9bc1b28
Instruction ID: df8fc4a51039860b002ef516709aa43dc1c654da54273d306c28a416021de8c9
Opcode Fuzzy Hash: 9aa598e1714b6cf0712a60c4d2d2698704635bce45fe4ae218a0d703e9bc1b28
Instruction Fuzzy Hash: 8D515F70D0522AAECB64DFA9DC887ADB7B4EF58314F5005DAE448EB280D7749E81CF54

Function 6F89DCCE Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(USER32,00000000,00000000,75C04A40,6F89DE36,?,?,?,?,?,?,?,6F89FCC6,00000000,00000002,00000028), ref: 6F89DCF9
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 6F89DD15
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6F89DD2A
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 6F89DD3B
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 6F89DD4C
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 6F89DD5D
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW), ref: 6F89DD6E
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 6F89DD8E

Strings

GetMonitorInfoW, xrefs: 6F89DD81
GetMonitorInfoA, xrefs: 6F89DD88
EnumDisplayDevicesW, xrefs: 6F89DD68
USER32, xrefs: 6F89DCEF
MonitorFromWindow, xrefs: 6F89DD24
MonitorFromRect, xrefs: 6F89DD35
EnumDisplayMonitors, xrefs: 6F89DD57
MonitorFromPoint, xrefs: 6F89DD46
GetSystemMetrics, xrefs: 6F89DD0F

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2451437823
Opcode ID: 7be1f431a37f85c81ebbfcdd37d18c9869dbfc9989e6ebad46587a469d43883e
Instruction ID: 868f4e7aad2e5b950189f39458ffb18fa45ce4a4b025e1ecfac323794a3c0841
Opcode Fuzzy Hash: 7be1f431a37f85c81ebbfcdd37d18c9869dbfc9989e6ebad46587a469d43883e
Instruction Fuzzy Hash: 83215B72828A65AF9B00AF788CC446A7AE5B6DB2257119DFFD045EA308C3B010E5CB94

Function 6F8A19AE Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6F8A19B8

Part of subcall function 6F89C050: __EH_prolog3.LIBCMT ref: 6F89C057

CallNextHookEx.USER32(?,?,?,?), ref: 6F8A19F8

Part of subcall function 6F896DC1: __CxxThrowException@8.LIBCMT ref: 6F896DD7
Part of subcall function 6F896DC1: __EH_prolog3.LIBCMT ref: 6F896DE4

_memset.LIBCMT ref: 6F8A1A51
GetClassLongW.USER32(?,000000E0), ref: 6F8A1A85
SetWindowLongW.USER32(?,000000FC,Function_00010D95), ref: 6F8A1ADA
GetClassNameW.USER32(?,?,00000100), ref: 6F8A1B20
GetWindowLongW.USER32(?,000000FC), ref: 6F8A1B46
GetPropW.USER32(?,AfxOldWndProc423), ref: 6F8A1B5D
SetPropW.USER32(?,AfxOldWndProc423,?), ref: 6F8A1B6F
GetPropW.USER32(?,AfxOldWndProc423), ref: 6F8A1B77
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 6F8A1B86
SetWindowLongW.USER32(?,000000FC,Function_00011861), ref: 6F8A1B94
CallNextHookEx.USER32(?,00000003,?,?), ref: 6F8A1BA6
UnhookWindowsHookEx.USER32(?), ref: 6F8A1BBA

Strings

#32768, xrefs: 6F8A1A63, 6F8A1A68, 6F8A1B36
AfxOldWndProc423, xrefs: 6F8A1B56, 6F8A1B5B, 6F8A1B6D, 6F8A1B75, 6F8A1B85

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Long$HookPropWindow$CallClassH_prolog3Next$AtomException@8GlobalH_prolog3_NameThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423
API String ID: 4265692241-2141921550
Opcode ID: 325d901004c5f4b192bbc2cf537c1f639de5d93b374d5a14f0b65e4c1b2d9809
Instruction ID: 7862779581b72051a47369749d8b2c13699711971eb3e962b499126b72bbf1ba
Opcode Fuzzy Hash: 325d901004c5f4b192bbc2cf537c1f639de5d93b374d5a14f0b65e4c1b2d9809
Instruction Fuzzy Hash: CC51B171544B2AABCF159F28CC48B9A7BB8FF05365F0409D5F4199E1D0EB319A92CFA0

Function 6F89FBD6 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6F8A2C57: GetWindowLongW.USER32(?,000000F0), ref: 6F8A2C62

GetParent.USER32(?), ref: 6F89FC05
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6F89FC28
GetWindowRect.USER32(?,?), ref: 6F89FC42
GetWindowLongW.USER32(00000000,000000F0), ref: 6F89FC58
CopyRect.USER32(?,?), ref: 6F89FCA5
CopyRect.USER32(?,?), ref: 6F89FCAF
GetWindowRect.USER32(00000000,?), ref: 6F89FCB8

Part of subcall function 6F89DE96: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6F89DED6

CopyRect.USER32(?,?), ref: 6F89FCD4

Strings

(, xrefs: 6F89FC6E

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Rect$Window$Copy$Long$ByteCharMessageMultiParentSendWide
String ID: (
API String ID: 1385303425-3887548279
Opcode ID: 567aae9b3881052debed3c7e6a6c86bda250cea728662e8da0f6da8e25786184
Instruction ID: 5ae1262c67613512c4e4b79fd1cbe8a8154809272411babba3528c6e5fd42e8e
Opcode Fuzzy Hash: 567aae9b3881052debed3c7e6a6c86bda250cea728662e8da0f6da8e25786184
Instruction Fuzzy Hash: 79513E72904619AFDB04CFACCD84AEEBBB9AF48314F154595F915FB280DB30E941CB94

Function 6F8AA11F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6F8BE928,0000000C,6F8AA25A,00000000,00000000,?,6F8AA5D4,00000000,00000001,00000000,?,6F8AA89E,00000018,6F8BE978,0000000C), ref: 6F8AA131
__crt_waiting_on_module_handle.LIBCMT ref: 6F8AA13C

Part of subcall function 6F8A5BCF: Sleep.KERNEL32(000003E8,00000000,?,6F8AA082,KERNEL32.DLL,?,?,6F8AA416,00000000,?,6F8A488C,00000000,?,?,?,6F8A48EF), ref: 6F8A5BDB
Part of subcall function 6F8A5BCF: GetModuleHandleW.KERNEL32(00000000,?,6F8AA082,KERNEL32.DLL,?,?,6F8AA416,00000000,?,6F8A488C,00000000,?,?,?,6F8A48EF,?), ref: 6F8A5BE4

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 6F8AA165
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 6F8AA175
__lock.LIBCMT ref: 6F8AA197
InterlockedIncrement.KERNEL32(?), ref: 6F8AA1A4
__lock.LIBCMT ref: 6F8AA1B8
___addlocaleref.LIBCMT ref: 6F8AA1D6

Strings

DecodePointer, xrefs: 6F8AA16D
KERNEL32.DLL, xrefs: 6F8AA12B, 6F8AA130, 6F8AA13B
EncodePointer, xrefs: 6F8AA159

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 05e6332d668e7bb1e77c3e706a825a38754fa804b8bf57ea5db168a2e15d1728
Instruction ID: 825c5c728b86c7ebefe555724611112b21fa10041bf24f57ef26296e5830e4b8
Opcode Fuzzy Hash: 05e6332d668e7bb1e77c3e706a825a38754fa804b8bf57ea5db168a2e15d1728
Instruction Fuzzy Hash: 57118E70805B01EED7218F69C804B5EBBE0EF45328F108DDED4AA9B790CB75AA81CF54

Function 6F8984DA Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32), ref: 6F898503
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6F898520
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 6F89852D
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 6F89853A
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 6F898547

Strings

KERNEL32, xrefs: 6F8984FE
ReleaseActCtx, xrefs: 6F898522
CreateActCtxW, xrefs: 6F89851A
ActivateActCtx, xrefs: 6F89852F
DeactivateActCtx, xrefs: 6F89853C

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-2424895508
Opcode ID: 5e93d76cd3a91556a48fc68cfe3deda86b3fa90122c6afcd02408b5c7bddceb4
Instruction ID: 8b6481a213e8d3150b91ad0f95fcdb22cffbf3c757eb8f61716ad1c9361e2075
Opcode Fuzzy Hash: 5e93d76cd3a91556a48fc68cfe3deda86b3fa90122c6afcd02408b5c7bddceb4
Instruction Fuzzy Hash: 541154B290D753EFCF14AF6D8C8A446BFA4AB4632634448FFE1099F200D7309856CB91

Function 6F89A59C Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32,6F89A6B6), ref: 6F89A5AA
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6F89A5CB
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6F89A5DD
GetProcAddress.KERNEL32(ActivateActCtx), ref: 6F89A5EF
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6F89A601

Part of subcall function 6F896DC1: __CxxThrowException@8.LIBCMT ref: 6F896DD7
Part of subcall function 6F896DC1: __EH_prolog3.LIBCMT ref: 6F896DE4

Strings

KERNEL32, xrefs: 6F89A5A5
ReleaseActCtx, xrefs: 6F89A5CD
CreateActCtxW, xrefs: 6F89A5C5
ActivateActCtx, xrefs: 6F89A5DF
DeactivateActCtx, xrefs: 6F89A5F1

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 417325364-2424895508
Opcode ID: 7fc57f962cf68787af89ca6f12460c6e9618ccb2db1809bc5864cfaa4a84588a
Instruction ID: 00c6a8a88021e43764d13eb27d688d4eec3b147938623012b20e66885e531af7
Opcode Fuzzy Hash: 7fc57f962cf68787af89ca6f12460c6e9618ccb2db1809bc5864cfaa4a84588a
Instruction Fuzzy Hash: 8CF07A74C0AA27BADF516FB59C495457E68A70637E70048DAA80197300D7749867CFC1

Function 6F89C8E2 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6F89C91F
PathFindExtensionW.SHLWAPI(?), ref: 6F89C939
__wcsdup.LIBCMT ref: 6F89C983
__wcsdup.LIBCMT ref: 6F89C9C2
__wcsdup.LIBCMT ref: 6F89CA14
__wcsdup.LIBCMT ref: 6F89CA55

Strings

.HLP, xrefs: 6F89C9F9
.INI, xrefs: 6F89CA36
.CHM, xrefs: 6F89C9F2

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: __wcsdup$ExtensionFileFindModuleNamePath
String ID: .CHM$.HLP$.INI
API String ID: 2477486372-4017452060
Opcode ID: 776531b01fbcbb3c6651cd17148edeae8b94fbfd3b64b55187d41184104fb97f
Instruction ID: 5aae93535c6e2d3405085f45521b9786ef11ecfdd28bb615f3fc9d07220d6070
Opcode Fuzzy Hash: 776531b01fbcbb3c6651cd17148edeae8b94fbfd3b64b55187d41184104fb97f
Instruction Fuzzy Hash: E34163B190071AABDB14DB7DCC48A9AB3FDAF45314F000CE99555DF282EB32E984CB54

Function 6F8A1861 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6F8A1868
GetPropW.USER32(?,AfxOldWndProc423), ref: 6F8A1877
CallWindowProcW.USER32(?,?,00000110,?,00000000), ref: 6F8A18D1

Part of subcall function 6F8A0C2C: GetWindowRect.USER32(?,10000000), ref: 6F8A0C56

SetWindowLongW.USER32(?,000000FC,?), ref: 6F8A18F8
RemovePropW.USER32(?,AfxOldWndProc423), ref: 6F8A1900
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6F8A1907
GlobalDeleteAtom.KERNEL32(?), ref: 6F8A1911
CallWindowProcW.USER32(?,?,?,?,00000000), ref: 6F8A1965

Strings

AfxOldWndProc423, xrefs: 6F8A1870, 6F8A1875, 6F8A18FE, 6F8A1906

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
String ID: AfxOldWndProc423
API String ID: 2109165785-1060338832
Opcode ID: 7b9f4a2b5ee2c1dd08b0f0e92df86c1998c4a0c9295aa11c73177cab788ff512
Instruction ID: 02f81b7703c281aa4a537307abdb944d447e8351cb70278c4a74911df092dee3
Opcode Fuzzy Hash: 7b9f4a2b5ee2c1dd08b0f0e92df86c1998c4a0c9295aa11c73177cab788ff512
Instruction Fuzzy Hash: 79314C3240561ABBCF019FA8CD48DFF7B78EF0A315F040999F601AA190D7769925DBA1

Function 6F891C00 Relevance: 13.7, APIs: 9, Instructions: 159fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,?,?,?,?,?,6F891BE9,?,?,?,?), ref: 6F891C39
GetLastError.KERNEL32(?,?,?,?,?,6F891BE9,?,?,?,?), ref: 6F891C48
__aullrem.LIBCMT ref: 6F891C60
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,00000000), ref: 6F891CE8
_memset.LIBCMT ref: 6F891CF5
SetFilePointer.KERNEL32(?,?,00000000,00000001,?,?,?,?,6F891BE9,?,?,?,?), ref: 6F891D07

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: File$Pointer$ErrorLastRead__aullrem_memset
String ID:
API String ID: 123228641-0
Opcode ID: 403d4c303705f6a8f0be57f372bcc112482b2affe1ce1a558746ab26f4323638
Instruction ID: aca0a6a9b219cf058ede198cd138a684bd3083daca0d223eee657c02e7d9f128
Opcode Fuzzy Hash: 403d4c303705f6a8f0be57f372bcc112482b2affe1ce1a558746ab26f4323638
Instruction Fuzzy Hash: B7514D75708B01AFD744DE2DC840B9BB7E8EF88764F004969F958DB240E770E905CBA2

Function 6F89BE0D Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6F89BE14
RtlEnterCriticalSection.NTDLL(00000000), ref: 6F89BE25
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6F89AF00,6F896DDD,6F8968AD,?,6F8A4902,?,?,?,?), ref: 6F89BE43
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6F89AF00,6F896DDD,6F8968AD,?,6F8A4902,?), ref: 6F89BE77
RtlLeaveCriticalSection.NTDLL(?), ref: 6F89BEE3
_memset.LIBCMT ref: 6F89BF02
TlsSetValue.KERNEL32(?,00000000), ref: 6F89BF13
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6F89BF34

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: b73a608a8362e9a64f992f05280dcff6984cc63234974ccb25bcd7cfd8b52f99
Instruction ID: 3f25ac0d1f876c86d6b53df4e05baf4851e754a960730de5d034e6e94017407d
Opcode Fuzzy Hash: b73a608a8362e9a64f992f05280dcff6984cc63234974ccb25bcd7cfd8b52f99
Instruction Fuzzy Hash: 85319E70504606EFDB14DF6CC885C5ABBB5FF01324B10C9AEE6669FA90CB31AA55CF90

Function 6F8981FA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6F89815A: GetParent.USER32(?), ref: 6F8981AE
Part of subcall function 6F89815A: GetLastActivePopup.USER32(?), ref: 6F8981BF
Part of subcall function 6F89815A: IsWindowEnabled.USER32(?), ref: 6F8981D3
Part of subcall function 6F89815A: EnableWindow.USER32(?,00000000), ref: 6F8981E6

EnableWindow.USER32(?,00000001), ref: 6F898247
GetWindowThreadProcessId.USER32(?,?), ref: 6F89825B
GetCurrentProcessId.KERNEL32(?,?), ref: 6F898265
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6F89827D
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 6F8982F9
EnableWindow.USER32(00000000,00000001), ref: 6F898340

Strings

0, xrefs: 6F8982D2

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: b64f9255806d44f062f48e495da75bf48404ffb26bf0d9c5c5d0ca7669d14ab7
Instruction ID: 1596ca59cf7416e6eadb09e389c0f1df9581dc74ba622d627300e116ca1f2747
Opcode Fuzzy Hash: b64f9255806d44f062f48e495da75bf48404ffb26bf0d9c5c5d0ca7669d14ab7
Instruction Fuzzy Hash: 50418371A44B1AAFDB248FA8CC88BDA77B4FF05310F5409D9E915EA180D770EA90CF90

Function 6F89DE96 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 6F89DED6
SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 6F89DF00
GetSystemMetrics.USER32(00000000), ref: 6F89DF17
GetSystemMetrics.USER32(00000001), ref: 6F89DF1E
MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 6F89DF49

Strings

DISPLAY, xrefs: 6F89DF40
B, xrefs: 6F89DEE0

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: System$ByteCharMetricsMultiWide$InfoParameters
String ID: B$DISPLAY
API String ID: 381819527-3316187204
Opcode ID: 9472fecba584656bd58c1560caa70cbbf9e6ffabb143cace7f122ff9b45f2f58
Instruction ID: d2ba92526246af0f54f0797a82a1bd223fe6bfaeab3752d639aac74d8de77e1f
Opcode Fuzzy Hash: 9472fecba584656bd58c1560caa70cbbf9e6ffabb143cace7f122ff9b45f2f58
Instruction Fuzzy Hash: 6321F873504725ABDF108F688C85B9B7BAAEF46760F004596FD589F180D7B0E841CBE4

Function 6F89CD66 Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 6F89CD75
GetSystemMetrics.USER32(0000000C), ref: 6F89CD7C
GetSystemMetrics.USER32(00000002), ref: 6F89CD83
GetSystemMetrics.USER32(00000003), ref: 6F89CD8D
GetDC.USER32(00000000), ref: 6F89CD97
GetDeviceCaps.GDI32(00000000,00000058), ref: 6F89CDA8
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6F89CDB0
ReleaseDC.USER32(00000000,00000000), ref: 6F89CDB8

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: b324a89bc299da2d5faf614fb8e08866c9493156f5be6b3a225d6b97ef81bba0
Instruction ID: 5e350b3641f7cac5356ee8ec0037a8124d4b7dec005659c3931090e72b260f93
Opcode Fuzzy Hash: b324a89bc299da2d5faf614fb8e08866c9493156f5be6b3a225d6b97ef81bba0
Instruction Fuzzy Hash: 8DF06DB1E40B15BAEB105B728C49F167F68EB46771F004556E6058B2C0CBB59822CFD0

Function 6F8A020C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6F8A029B
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6F8A02C4
GetWindowLongW.USER32(?,000000FC), ref: 6F8A02D6
GetWindowLongW.USER32(?,000000FC), ref: 6F8A02E7
SetWindowLongW.USER32(?,000000FC,?), ref: 6F8A0303

Strings

,, xrefs: 6F8A02BA

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: e3c2f8814cf79f5e5bb33fe063655f7033f6aa0b212d1963bbc01b220b7e26fd
Instruction ID: d8056199044d2a6aa6bc407ac44fbc1dc2b906c00bfa042e7e5d274ba2fc210d
Opcode Fuzzy Hash: e3c2f8814cf79f5e5bb33fe063655f7033f6aa0b212d1963bbc01b220b7e26fd
Instruction Fuzzy Hash: 6231BD31600710AFDB15AFA8C884A5DBBA4FF48314B101AA9E5569F690DB32F800CB94

Function 6F89A200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6F89A20A
RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 6F89A2F0
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6F89A30D
RegCloseKey.ADVAPI32(?), ref: 6F89A32D
RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 6F89A348

Strings

Software\, xrefs: 6F89A26E

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: ec183265d86417fa1efec824a327a93c56cc9397f07dce0276129516be5578a8
Instruction ID: 623634450c41cbda45c0182976d6aee3b1f95f8c3a13be8a2956e6f18e1ceb94
Opcode Fuzzy Hash: ec183265d86417fa1efec824a327a93c56cc9397f07dce0276129516be5578a8
Instruction Fuzzy Hash: 3C418031D05619BBCF21DBACDC88ADEB7BDAF49314F100AD9E019AA190DB359B81CF50

Function 6F89A082 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6F89A08C
RegOpenKeyW.ADVAPI32(?,?,?), ref: 6F89A11A
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6F89A13D

Part of subcall function 6F89A02D: __EH_prolog3.LIBCMT ref: 6F89A034

Strings

Software\Classes\, xrefs: 6F89A0CD

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: cbb1132752505838ed64392a3e06a3cf7a5bac797d2efd32b9ab05235c83b9b6
Instruction ID: f81be9a7c15ae66d0f17c6709810de2ca19728e3f7b5b52a988b92f1aab7a462
Opcode Fuzzy Hash: cbb1132752505838ed64392a3e06a3cf7a5bac797d2efd32b9ab05235c83b9b6
Instruction Fuzzy Hash: 9C314D31C04229BACF21ABACDC48BDDB7B8AF09364F1406D5E85A6B290D7305F94DF91

Function 6F89D07E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6F89D0AE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6F89D0D1
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6F89D0ED
RegCloseKey.ADVAPI32(?), ref: 6F89D0FD
RegCloseKey.ADVAPI32(?), ref: 6F89D107

Strings

software, xrefs: 6F89D096

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 6bc2dbb0c5a18a8c0c12fd93e39b331f595d6c0c87d87555ac4f2c4a178b504d
Instruction ID: e34dc88f76a472ae5d55c1a2b27f2e25a69067951b36cdb2be50cd54bf7a5969
Opcode Fuzzy Hash: 6bc2dbb0c5a18a8c0c12fd93e39b331f595d6c0c87d87555ac4f2c4a178b504d
Instruction Fuzzy Hash: E411E672D00519BB8F21DA9ACD88DDFBFBDEF89750B1040AAF504A6111D7319A11EBA0

Function 6F89BEAE Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

RtlLeaveCriticalSection.NTDLL(?), ref: 6F89BEB5
__CxxThrowException@8.LIBCMT ref: 6F89BEBF

Part of subcall function 6F8A527B: RaiseException.KERNEL32(?,00000000,?,00000001), ref: 6F8A52BD

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,6F89AF00,6F896DDD,6F8968AD,?,6F8A4902,?), ref: 6F89BED6
RtlLeaveCriticalSection.NTDLL(?), ref: 6F89BEE3

Part of subcall function 6F896D89: __CxxThrowException@8.LIBCMT ref: 6F896D9F

_memset.LIBCMT ref: 6F89BF02
TlsSetValue.KERNEL32(?,00000000), ref: 6F89BF13
RtlLeaveCriticalSection.NTDLL(00000000), ref: 6F89BF34

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 2d65d7e0c0ee43dbb25e8ddf3edd1e2e55ebee3b15c050ad8b5f2ec42cd3945a
Instruction ID: 95347c83edede9deab21e3699904c42a4c012c45203c6720a8a79d50a621bd19
Opcode Fuzzy Hash: 2d65d7e0c0ee43dbb25e8ddf3edd1e2e55ebee3b15c050ad8b5f2ec42cd3945a
Instruction Fuzzy Hash: 1811A174100606BFDB10AF6CCC89C2ABBB6FF01324710C9A9F6559A964CB31ED61CF90

Function 6F89CA77 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000), ref: 6F89CA85
SetErrorMode.KERNEL32(00000000), ref: 6F89CA8D

Part of subcall function 6F89A698: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6F89A6D0
Part of subcall function 6F89A698: SetLastError.KERNEL32(0000006F), ref: 6F89A6E7

GetModuleHandleW.KERNEL32(user32.dll), ref: 6F89CADC
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 6F89CAEC

Part of subcall function 6F89C8E2: GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6F89C91F
Part of subcall function 6F89C8E2: PathFindExtensionW.SHLWAPI(?), ref: 6F89C939
Part of subcall function 6F89C8E2: __wcsdup.LIBCMT ref: 6F89C983
Part of subcall function 6F89C8E2: __wcsdup.LIBCMT ref: 6F89C9C2
Part of subcall function 6F89C8E2: __wcsdup.LIBCMT ref: 6F89CA14

Strings

user32.dll, xrefs: 6F89CAD7
NotifyWinEvent, xrefs: 6F89CAE6

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: ErrorModule__wcsdup$FileModeName$AddressExtensionFindHandleLastPathProc
String ID: NotifyWinEvent$user32.dll
API String ID: 3531328582-597752486
Opcode ID: 17dd1710af644af928f0b3dc5b36ce8fc52d716c274112eb0ab438e941a406db
Instruction ID: 7ab9c9dbc5c2578f8d11514838520a6f1011507974e8813775a39cc98c1f2297
Opcode Fuzzy Hash: 17dd1710af644af928f0b3dc5b36ce8fc52d716c274112eb0ab438e941a406db
Instruction Fuzzy Hash: 1A017C71A142456FCB15EF6C9844A5E3BD8AF45320B0588DAE945DF392DB31D840CFA1

Function 6F89CD20 Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 6F89CD2E
GetSysColor.USER32(00000010), ref: 6F89CD35
GetSysColor.USER32(00000014), ref: 6F89CD3C
GetSysColor.USER32(00000012), ref: 6F89CD43
GetSysColor.USER32(00000006), ref: 6F89CD4A
GetSysColorBrush.USER32(0000000F), ref: 6F89CD57
GetSysColorBrush.USER32(00000006), ref: 6F89CD5E

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 0bd7847a7616e29d4da7c9ca3e6705ec414ef5f741b210df3720ae23d13742fe
Instruction ID: 5c7b4f023447311fe76b362c3a438c5b8839b648e812633c1fc2e96c7990733c
Opcode Fuzzy Hash: 0bd7847a7616e29d4da7c9ca3e6705ec414ef5f741b210df3720ae23d13742fe
Instruction Fuzzy Hash: E8F0FE719407445BDB30BB724909B47BAD1FFC4720F16092EE2458B990D6B6E441DF40

Function 6F89815A Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6F89818D
GetParent.USER32(?), ref: 6F89819B
GetParent.USER32(?), ref: 6F8981AE
GetLastActivePopup.USER32(?), ref: 6F8981BF
IsWindowEnabled.USER32(?), ref: 6F8981D3
EnableWindow.USER32(?,00000000), ref: 6F8981E6

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: ba2880a56f8d9cd1b35cf30c4dc165973a6e157730a580396b5099a4c64d1b1c
Instruction ID: 0e3bbe8ab0a2c9387f3c9d2dce7ca84a2fe4613d0fbc4a66292ddab95bab7544
Opcode Fuzzy Hash: ba2880a56f8d9cd1b35cf30c4dc165973a6e157730a580396b5099a4c64d1b1c
Instruction Fuzzy Hash: DF11C63260DA23ABD7160A6D8D40B9E76ACAF45B60F850AD6ED14EF244D770E801C7D5

Function 6F8AC416 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6F8AC43E

Part of subcall function 6F8A4FC4: __getptd.LIBCMT ref: 6F8A4FD2
Part of subcall function 6F8A4FC4: __getptd.LIBCMT ref: 6F8A4FE0

__getptd.LIBCMT ref: 6F8AC448

Part of subcall function 6F8AA27F: __getptd_noexit.LIBCMT ref: 6F8AA282
Part of subcall function 6F8AA27F: __amsg_exit.LIBCMT ref: 6F8AA28F

__getptd.LIBCMT ref: 6F8AC456
__getptd.LIBCMT ref: 6F8AC464
__getptd.LIBCMT ref: 6F8AC46F
_CallCatchBlock2.LIBCMT ref: 6F8AC495

Part of subcall function 6F8A5069: __CallSettingFrame@12.LIBCMT ref: 6F8A50B5

Part of subcall function 6F8AC53C: __getptd.LIBCMT ref: 6F8AC54B
Part of subcall function 6F8AC53C: __getptd.LIBCMT ref: 6F8AC559

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: f0a09f45591f436e77ce8432411be49516a638224cf659e05fbd849f5722b734
Instruction ID: 2047298166114a0375d0533a99062a8cdfd66274b76786cb373edf688a952f2f
Opcode Fuzzy Hash: f0a09f45591f436e77ce8432411be49516a638224cf659e05fbd849f5722b734
Instruction Fuzzy Hash: 6611B4B1804309EFDF00DFA8C844A9D7BB1FB14314F1089A9E814AB291DB7A9A519B50

Function 6F89DB5C Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 6F89DB6D
GetDlgCtrlID.USER32(00000000), ref: 6F89DB81
GetWindowLongW.USER32(00000000,000000F0), ref: 6F89DB91
GetWindowRect.USER32(00000000,?), ref: 6F89DBA3
PtInRect.USER32(?,?,?), ref: 6F89DBB3
GetWindow.USER32(?,00000005), ref: 6F89DBC0

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 31890ed5355ceeb1015815a2a4c106e19eb01b69667710b4485b76f13d4138a3
Instruction ID: 296ee2ac043edc07472afa871d88010b41219355765e7e5feed5ee0a6dd653fe
Opcode Fuzzy Hash: 31890ed5355ceeb1015815a2a4c106e19eb01b69667710b4485b76f13d4138a3
Instruction Fuzzy Hash: 2E016D3210491ABBDF115B688C08EEE3B6EFF4A360F0849A5F951DA090D734E527CBD8

Function 6F8996DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 6F8996F2
_memset.LIBCMT ref: 6F89976A
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 6F8997CD
LoadBitmapW.USER32(00000000,00007FE3), ref: 6F8997E5

Strings

, xrefs: 6F89974B

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 7abb2fb8f5cd97eaff92890ea48fae5466d310af4ba967c945d14bdb644f48aa
Instruction ID: bc162214abdc4af210a44d7e595ffae6f57adfafc67607396b5cec0541695d68
Opcode Fuzzy Hash: 7abb2fb8f5cd97eaff92890ea48fae5466d310af4ba967c945d14bdb644f48aa
Instruction Fuzzy Hash: 12312471A00615AFEF248F288CC5B997BB4FB45350F4544EAE548DB2C1DF319985CB90

Function 6F8AC165 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6F8AC17F

Part of subcall function 6F8AA27F: __getptd_noexit.LIBCMT ref: 6F8AA282
Part of subcall function 6F8AA27F: __amsg_exit.LIBCMT ref: 6F8AA28F

__getptd.LIBCMT ref: 6F8AC190
__getptd.LIBCMT ref: 6F8AC19E

Strings

MOC, xrefs: 6F8AC171
csm, xrefs: 6F8AC178

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
Instruction ID: 8c40f01c739720da982a935ab6ffb4d0d4a588b96144883f93bc86154f4936c3
Opcode Fuzzy Hash: aa1837dadfba7e54d6be07239196d8ff6a1898bb90bdeee490b5edcfe485d706
Instruction Fuzzy Hash: 9AE04F31614308DFD7049BB8C045B5837A5EB6A318F1509E1D41CCF266D737E550D942

Function 6F895670 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,6F8949D6,?,00000003), ref: 6F895685
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,?,00000000,00000000), ref: 6F8956B4
GetLastError.KERNEL32 ref: 6F8956C5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000000,00000000,00000000), ref: 6F8956E5
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,00000000,00000000), ref: 6F895709

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dad288d65909326fb081dd230379c7efae9bbb7d0b9ec7700fadc7ec5d3e6335
Instruction ID: a4ffaff4e974ac82965aa707c7bdc04a6e90a3d6738bb93fa38b1c28293aa091
Opcode Fuzzy Hash: dad288d65909326fb081dd230379c7efae9bbb7d0b9ec7700fadc7ec5d3e6335
Instruction Fuzzy Hash: AF117F75384306BBE6249E68DCC1F6B77ECEB85755F100D68F6419F2C0D660BC098660

Function 6F89DA11 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?), ref: 6F89DA3D
_memset.LIBCMT ref: 6F89DA5B
GetWindowTextW.USER32(00000000,?,00000100), ref: 6F89DA75
lstrcmpW.KERNEL32(?,?,?,?), ref: 6F89DA87
SetWindowTextW.USER32(00000000,?), ref: 6F89DA93

Part of subcall function 6F896DC1: __CxxThrowException@8.LIBCMT ref: 6F896DD7
Part of subcall function 6F896DC1: __EH_prolog3.LIBCMT ref: 6F896DE4

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 08249c38c379a9ae3aa9c4d8ae57089e830102c7087ab1f3f45685f289373988
Instruction ID: b1f045d4e14658ae7f88ca794ecee649325450ae20f127abead445676e8f1917
Opcode Fuzzy Hash: 08249c38c379a9ae3aa9c4d8ae57089e830102c7087ab1f3f45685f289373988
Instruction Fuzzy Hash: 3B0161B750571A67CB00DB688C899DBB3ADEF49350F0048A5E955DB141EB34E91487A0

Function 6F8AFE0E Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6F8AFE1A

Part of subcall function 6F8AA27F: __getptd_noexit.LIBCMT ref: 6F8AA282
Part of subcall function 6F8AA27F: __amsg_exit.LIBCMT ref: 6F8AA28F

__amsg_exit.LIBCMT ref: 6F8AFE3A
__lock.LIBCMT ref: 6F8AFE4A
InterlockedDecrement.KERNEL32(?), ref: 6F8AFE67
InterlockedIncrement.KERNEL32(029A15E0), ref: 6F8AFE92

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 42bd0a470dfb4b00f3690d50049e90e1973b793ce2f44a3cef6c701c27b256c5
Instruction ID: 43df7307c525f5ba8077e5cd5939228d4c12127194d7c997d798e1d4ef44e503
Opcode Fuzzy Hash: 42bd0a470dfb4b00f3690d50049e90e1973b793ce2f44a3cef6c701c27b256c5
Instruction Fuzzy Hash: 3001B932A01B11EBDB159B6C880474D77A0EF95735F4119C9D4106F3D1CB3AB9A1CBD5

Function 6F8A4618 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 6F8A4636

Part of subcall function 6F8AA914: __mtinitlocknum.LIBCMT ref: 6F8AA92A
Part of subcall function 6F8AA914: __amsg_exit.LIBCMT ref: 6F8AA936
Part of subcall function 6F8AA914: RtlEnterCriticalSection.NTDLL(00000000), ref: 6F8AA93E

___sbh_find_block.LIBCMT ref: 6F8A4641
___sbh_free_block.LIBCMT ref: 6F8A4650
HeapFree.KERNEL32(00000000,00000000,6F8BE828,0000000C,6F8AA270,00000000,?,6F8AA5D4,00000000,00000001,00000000,?,6F8AA89E,00000018,6F8BE978,0000000C), ref: 6F8A4680
GetLastError.KERNEL32(?,6F8AA5D4,00000000,00000001,00000000,?,6F8AA89E,00000018,6F8BE978,0000000C,6F8AA92F,00000000,00000000,?,6F8AA32A,0000000D), ref: 6F8A4691

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 725714182b7c2827301206bbfe64241c47f1b866bd578de4d857aeac42bfa213
Instruction ID: eb02672da2f3a842485666051e351dc04734e83a5f572b2ad28f2f0d0306ba67
Opcode Fuzzy Hash: 725714182b7c2827301206bbfe64241c47f1b866bd578de4d857aeac42bfa213
Instruction Fuzzy Hash: F401A271805B15BBEF245F78980874E3B74EF81726F2019D9E020AE1D0CF7BA580CA94

Function 6F89C113 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsFree.KERNEL32(?,?,?,6F89C179), ref: 6F89C13B
GlobalHandle.KERNEL32(?), ref: 6F89C149
GlobalUnlock.KERNEL32(00000000), ref: 6F89C152
GlobalFree.KERNEL32(00000000), ref: 6F89C159
RtlDeleteCriticalSection.NTDLL ref: 6F89C163

Part of subcall function 6F89BF5D: RtlEnterCriticalSection.NTDLL(?), ref: 6F89BFBC
Part of subcall function 6F89BF5D: RtlLeaveCriticalSection.NTDLL(?), ref: 6F89BFCC
Part of subcall function 6F89BF5D: LocalFree.KERNEL32(?), ref: 6F89BFD5
Part of subcall function 6F89BF5D: TlsSetValue.KERNEL32(?,00000000), ref: 6F89BFE7

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: ff4cfa955f3b78319d70e1d02e5d1e938fec1a20e0c39de5a9a322d7dba230c9
Instruction ID: e99504f66f4edca3cb08ba34031b551c15c40f8afecfbe01f71790d599279297
Opcode Fuzzy Hash: ff4cfa955f3b78319d70e1d02e5d1e938fec1a20e0c39de5a9a322d7dba230c9
Instruction Fuzzy Hash: 5BF0E236204A03ABCB105B3C9C0CE6B37B8AF876707150A88F525DB282CB31E803C7B4

Function 6F8A140F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6F89C220: RtlEnterCriticalSection.NTDLL(6F8C34A8), ref: 6F89C25A
Part of subcall function 6F89C220: RtlInitializeCriticalSection.NTDLL(?), ref: 6F89C26C
Part of subcall function 6F89C220: RtlLeaveCriticalSection.NTDLL(6F8C34A8), ref: 6F89C279
Part of subcall function 6F89C220: RtlEnterCriticalSection.NTDLL(?), ref: 6F89C289

Part of subcall function 6F89BB0C: __EH_prolog3_catch.LIBCMT ref: 6F89BB13

Part of subcall function 6F896DC1: __CxxThrowException@8.LIBCMT ref: 6F896DD7
Part of subcall function 6F896DC1: __EH_prolog3.LIBCMT ref: 6F896DE4

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6F8A1458
FreeLibrary.KERNEL32(?), ref: 6F8A1468

Strings

HtmlHelpW, xrefs: 6F8A1452
hhctrl.ocx, xrefs: 6F8A143C

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 2853499158-3773518134
Opcode ID: 59f43c68fff06c9965c886d44bcec80a78d7ae648c969339be3eded4e5b152cc
Instruction ID: 3766bee8ab4413c257b5678e9a9cc83fcd0c271f55d6d38d47959d2c079a367b
Opcode Fuzzy Hash: 59f43c68fff06c9965c886d44bcec80a78d7ae648c969339be3eded4e5b152cc
Instruction Fuzzy Hash: 6401D131005B07BBDB255BACCD04B4A3BA6EF05368F00CCA9F45AAD690DB72E410CF51

Function 6F8AC7C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6F8AC7D6

Part of subcall function 6F8AC731: ___BuildCatchObjectHelper.LIBCMT ref: 6F8AC767

_UnwindNestedFrames.LIBCMT ref: 6F8AC7ED
___FrameUnwindToState.LIBCMT ref: 6F8AC7FB

Strings

csm, xrefs: 6F8AC7D2, 6F8AC7E7, 6F8AC7FA, 6F8AC818, 6F8AC828

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction ID: 904d598de5539a77d8bc4a5054b2db8769c4cc6d93b4a18cf6b0635d4158b40f
Opcode Fuzzy Hash: 9333c40b5dfdbc582cc92e6f10fbdaaaf62e4115b5764113ccc931296aa917a4
Instruction Fuzzy Hash: DC01E831001209BBDF125F59CD44EEA7F6AFF49354F104451FD2859161DB32E5B1DBA1

Function 6F8AED77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,6F8A77D7), ref: 6F8AED7C
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 6F8AED8C

Strings

IsProcessorFeaturePresent, xrefs: 6F8AED86
KERNEL32, xrefs: 6F8AED77

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 85fbc9d3ab014d06855b4ab363f555084d7548ede5c90b606e9bf39bdb964369
Instruction ID: 8b5b65248cb1a9ae7c15c84afd66e9645d09039316d78e10f1b1c7abcb35b0f1
Opcode Fuzzy Hash: 85fbc9d3ab014d06855b4ab363f555084d7548ede5c90b606e9bf39bdb964369
Instruction Fuzzy Hash: 51F01D20900E0AE2EF001BA6AD196AE7B79FB82756F820DD4E5B5A5184DF3190B1D385

Function 6F897D71 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6F897D88
GetFileTime.KERNEL32(?,?,?,?), ref: 6F897DBF
GetFileSizeEx.KERNEL32(?,?), ref: 6F897DD7

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: File$SizeTime_memset
String ID:
API String ID: 151880914-0
Opcode ID: 798c09a1fd518fc93c67b991b4d5c734b5f550cd11eb6985114aadf6a7921e40
Instruction ID: 1771d5e132b85697b6022f3d0c4d3d0c9f89e8721287da7533d8f4f7000f8d26
Opcode Fuzzy Hash: 798c09a1fd518fc93c67b991b4d5c734b5f550cd11eb6985114aadf6a7921e40
Instruction Fuzzy Hash: 5D51E771504705AFDB24CF68C9409AEB7F8AF09720B108E6EE5A6DB690E734F945CB60

Function 6F8B081B Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6F8B084F
__isleadbyte_l.LIBCMT ref: 6F8B0883
MultiByteToWideChar.KERNEL32(00000080,00000009,6F8A40D8,6F8BBF84,00000000,00000000,?,?,?,?,6F8A40D8,00000000,?), ref: 6F8B08B4
MultiByteToWideChar.KERNEL32(00000080,00000009,6F8A40D8,00000001,00000000,00000000,?,?,?,?,6F8A40D8,00000000,?), ref: 6F8B0922

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d64e7e21af69afa3ebfa4ffa0a7f3eeffd40faa0d6595421fdac4ed92c9a62aa
Instruction ID: 64833789aeacf28dae4700f998d7e620287eeb76f4fb40df7fd3dbbd5100fa14
Opcode Fuzzy Hash: d64e7e21af69afa3ebfa4ffa0a7f3eeffd40faa0d6595421fdac4ed92c9a62aa
Instruction Fuzzy Hash: 89319031A0424AEFDB15CF68CE849AE3BB5BF01310F1159EEE4649F2A1D731EA41DB90

Function 6F8988C8 Relevance: 6.1, APIs: 4, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 6F8988E7
lstrcmpW.KERNEL32(00000000,?), ref: 6F8988F4
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6F89892E
GlobalLock.KERNEL32(00000000), ref: 6F898938

Part of subcall function 6F89DAD1: GlobalFlags.KERNEL32(?), ref: 6F89DAE0
Part of subcall function 6F89DAD1: GlobalUnlock.KERNEL32(?), ref: 6F89DAF2
Part of subcall function 6F89DAD1: GlobalFree.KERNEL32(?), ref: 6F89DAFD

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Global$Lock$AllocFlagsFreeUnlocklstrcmp
String ID:
API String ID: 2391069079-0
Opcode ID: 89c32423a5c2019540112b38c7dddc49c146ab95645e9141a3374f722b97f7bd
Instruction ID: 5cec3d216fc8fb1b818eec0f0c9bc450a03f306da4706ed1349d936c645e3012
Opcode Fuzzy Hash: 89c32423a5c2019540112b38c7dddc49c146ab95645e9141a3374f722b97f7bd
Instruction Fuzzy Hash: 50118C72504A05BFCB129BA9CC88CAF7BFEFB85705B400899FA05DA160DB31E911D760

Function 6F89BF5D Relevance: 6.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 6F89BFBC
RtlLeaveCriticalSection.NTDLL(?), ref: 6F89BFCC
LocalFree.KERNEL32(?), ref: 6F89BFD5
TlsSetValue.KERNEL32(?,00000000), ref: 6F89BFE7

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 137549e81e253f4633735d75113d5277d303caddd41526ab182a9f3d6e34ead9
Instruction ID: 4bff52f30ed1a04ded98150456720ae5b49c8a93a6cfb6ec8c952d4b3f2bbf95
Opcode Fuzzy Hash: 137549e81e253f4633735d75113d5277d303caddd41526ab182a9f3d6e34ead9
Instruction Fuzzy Hash: 83116771600A05EFD718CF58C884F9AB7A8FF46325F1088AAF1568B5A1CB71BA51CF50

Function 6F898EC9 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6F898ED0

Part of subcall function 6F899C7C: __EH_prolog3.LIBCMT ref: 6F899C83

__wcsdup.LIBCMT ref: 6F898EF2
GetCurrentThread.KERNEL32 ref: 6F898F1F
GetCurrentThreadId.KERNEL32 ref: 6F898F28

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__wcsdup
String ID:
API String ID: 190065205-0
Opcode ID: 59388e7d2953f2702cf3682a886e6ed67decc498e5ccff8f923533348be7ec25
Instruction ID: 956f78e713bed79e583eb69df570658b6e3d16c600ffe9c9379bc417e30c39de
Opcode Fuzzy Hash: 59388e7d2953f2702cf3682a886e6ed67decc498e5ccff8f923533348be7ec25
Instruction Fuzzy Hash: 672188B0905B419FC7218F7E854424AFAE8BFA4704B508D9FD1AACBA61CBB1A041CF40

Function 6F8A1D07 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6F8A1D33
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6F8A1D5E
GetCapture.USER32 ref: 6F8A1D70
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6F8A1D7F

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 47ddb95a122456fbb0251bd9baab5cf7146286d8a0557426e1600a5251b77284
Instruction ID: 683a50afebbdad4fcb0ed096e74ece57c647831e37cb2ee3180e324d529a80a7
Opcode Fuzzy Hash: 47ddb95a122456fbb0251bd9baab5cf7146286d8a0557426e1600a5251b77284
Instruction Fuzzy Hash: A20171313506947BDF301B668CCCFDB3E7ADFCAB10F1104B8B6149E0E6CAA28800DA60

Function 6F896A83 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6F896A8A

Part of subcall function 6F8968E2: _malloc.LIBCMT ref: 6F896900

__CxxThrowException@8.LIBCMT ref: 6F896AC0
FormatMessageW.KERNEL32(00001100,00000000,?,00000800,6F8916A6,00000000,00000000,?,?,6F8BD898,00000004,6F8916A6,00000000,6F8969F9,00000000), ref: 6F896AEA
LocalFree.KERNEL32(6F8916A6,6F8916A6,00000000,6F8969F9,00000000), ref: 6F896B12

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: fc86879e74f20dae9645edf5a54310594cf0a2f29aeaf9a22da9b3b6327fde94
Instruction ID: 619e709f86bc31bb40b89b92178f567823d8d4b4e27d916efc2fece02c474867
Opcode Fuzzy Hash: fc86879e74f20dae9645edf5a54310594cf0a2f29aeaf9a22da9b3b6327fde94
Instruction Fuzzy Hash: F3115E7160430ABFDF08DF6CCC41EAA3BA6EF49310F24C9A9F5258E2D0E73199509B90

Function 6F89D159 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 6F89D194
RegCloseKey.ADVAPI32(00000000), ref: 6F89D19D
swprintf.LIBCMT ref: 6F89D1BA
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6F89D1CB

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: ec46c222d7b7f887943f86ba8f573d6d59393d485e3ee6b9efd4b4f4a7bb6c74
Instruction ID: 420204d04e9d9d12b4057ddb71c081083be715b8dcbe0cdedb86b23276961c36
Opcode Fuzzy Hash: ec46c222d7b7f887943f86ba8f573d6d59393d485e3ee6b9efd4b4f4a7bb6c74
Instruction Fuzzy Hash: 11018E72600709BBDB009E688C85FABB7ADAB49714F000899BA10AB180DB75E91587A4

Function 6F897287 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6F8968E2: _malloc.LIBCMT ref: 6F896900

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6F8972BB
GetCurrentProcess.KERNEL32(?,00000000), ref: 6F8972C1
DuplicateHandle.KERNEL32(00000000), ref: 6F8972C4
GetLastError.KERNEL32(?), ref: 6F8972DF

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: 8bc614d74cc27603312232ff8a73619bcd1bb5123bc497d46ecd0b6fdb511998
Instruction ID: a22d997ca9d2386be6e202e843c72a717e7786d0e94b37f4eff9bf683416b07d
Opcode Fuzzy Hash: 8bc614d74cc27603312232ff8a73619bcd1bb5123bc497d46ecd0b6fdb511998
Instruction Fuzzy Hash: 8C017131600605BBDB049BADCD89F5E7BA9EF85760F1448A5F509DF280EB71EC01C7A0

Function 6F8A0F8D Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 6F8A0F9D
GetTopWindow.USER32(00000000), ref: 6F8A0FDC
GetWindow.USER32(00000000,00000002), ref: 6F8A0FFA

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 7402547d2d5c4070bcd0fff59e445238bb2b3a12f7e8223ad07f773bd4f8497b
Instruction ID: 0f0ff204831298a576ceebb7c1035ea4e4593c0cd83e3c77975646e1a8a864d1
Opcode Fuzzy Hash: 7402547d2d5c4070bcd0fff59e445238bb2b3a12f7e8223ad07f773bd4f8497b
Instruction Fuzzy Hash: 87015E3204961ABBCF025FA58C08EDF3F26EF497A1F044491FA14691A0C737C572EBA1

Function 6F8AEC63 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6F8AEC89

Part of subcall function 6F8AEAAE: __fltout2.LIBCMT ref: 6F8AEADA

__cftog_l.LIBCMT ref: 6F8AECAF
__cftoe_l.LIBCMT ref: 6F8AECE1

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 3cb4a3bdd6982bcfbf7c1b8110030e0d37e0b439db30097c4b06bed582c1e9c8
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: A3116D7245028EBBCF125F89CD018DE3F62FB18358F048C95FA2859160D737D6B1AB81

Function 6F8A03CF Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6F8A03DC
GetTopWindow.USER32(00000000), ref: 6F8A03EF

Part of subcall function 6F8A03CF: GetWindow.USER32(00000000,00000002), ref: 6F8A0436

GetTopWindow.USER32(?), ref: 6F8A041F

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 305b14b4787881255af00aae97bcb9d4f652f193d063bbad80bf49fe3d327851
Instruction ID: 444ebcbfc6d1368f090e6195f64a89c9015abce5211a0f2c66a2ee48d309bb12
Opcode Fuzzy Hash: 305b14b4787881255af00aae97bcb9d4f652f193d063bbad80bf49fe3d327851
Instruction Fuzzy Hash: 2401F736007A1A77CF122E248D04E8F3B29FF453A9F00A8A1FD189D000D733D52286D2

Function 6F89C220 Relevance: 6.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(6F8C34A8), ref: 6F89C25A
RtlInitializeCriticalSection.NTDLL(?), ref: 6F89C26C
RtlLeaveCriticalSection.NTDLL(6F8C34A8), ref: 6F89C279
RtlEnterCriticalSection.NTDLL(?), ref: 6F89C289

Part of subcall function 6F896DC1: __CxxThrowException@8.LIBCMT ref: 6F896DD7
Part of subcall function 6F896DC1: __EH_prolog3.LIBCMT ref: 6F896DE4

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 6e61b8f0aa8ee49690721837f99ee280198089f6b28fea5fac363d8f893a92f0
Instruction ID: 4feaa184de2a58e55c798e0260ef766874c36c7af7e16dc5b4261b537a9a6899
Opcode Fuzzy Hash: 6e61b8f0aa8ee49690721837f99ee280198089f6b28fea5fac363d8f893a92f0
Instruction Fuzzy Hash: 76F0FC32104106AFCB040BDCDC467457B69EBE3335F100896E1048E242CB35E853C5F6

Function 6F89BA5B Relevance: 6.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(6F8C32EC), ref: 6F89BA69
TlsGetValue.KERNEL32(6F8C32D0,?,?,?,?,6F89C0B7,?,00000004,6F89AF00,6F896DDD,6F8968AD,?,6F8A4902,?), ref: 6F89BA7D
RtlLeaveCriticalSection.NTDLL(6F8C32EC), ref: 6F89BA93
RtlLeaveCriticalSection.NTDLL(6F8C32EC), ref: 6F89BA9E

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 86b655c8f0f4624b9e43cccfce7306dd5040c10664df2d98081c9458601929c1
Instruction ID: b99bccf000aa786db632f258228aa64b8777d8f002a66090838752007142099f
Opcode Fuzzy Hash: 86b655c8f0f4624b9e43cccfce7306dd5040c10664df2d98081c9458601929c1
Instruction Fuzzy Hash: 80F05E7620A605AFD7208F6CC889C4A77EDEE853B031648A6E6599B101D730F953DBA0

Function 6F8B057A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6F8B0586

Part of subcall function 6F8AA27F: __getptd_noexit.LIBCMT ref: 6F8AA282
Part of subcall function 6F8AA27F: __amsg_exit.LIBCMT ref: 6F8AA28F

__getptd.LIBCMT ref: 6F8B059D
__amsg_exit.LIBCMT ref: 6F8B05AB
__lock.LIBCMT ref: 6F8B05BB

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 1c56a2087e1fdedb20e88de78f0ef42e17d8fecc1bf4855966774c866f9ac3be
Instruction ID: 068f3ff129473ee0535208611b325a92b815eab8117bfcf348690cbeb17dd879
Opcode Fuzzy Hash: 1c56a2087e1fdedb20e88de78f0ef42e17d8fecc1bf4855966774c866f9ac3be
Instruction Fuzzy Hash: 05F06D32918B14EBDB20AF6C8905B4832A0AB00728F416DCE9450BFBE0CB79A541CB51

Function 6F89A698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 6F89A59C: GetModuleHandleW.KERNEL32(KERNEL32,6F89A6B6), ref: 6F89A5AA
Part of subcall function 6F89A59C: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6F89A5CB
Part of subcall function 6F89A59C: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6F89A5DD
Part of subcall function 6F89A59C: GetProcAddress.KERNEL32(ActivateActCtx), ref: 6F89A5EF
Part of subcall function 6F89A59C: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6F89A601

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6F89A6D0
SetLastError.KERNEL32(0000006F), ref: 6F89A6E7

Strings

, xrefs: 6F89A705

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: AddressProc$Module$ErrorFileHandleLastName
String ID:
API String ID: 2524245154-3916222277
Opcode ID: 335eb344b9c4abeeb60c44fc9287172b13d7d8dae525adfb69c01f55bde3350d
Instruction ID: e0a5d6673b9bc6dd7f312307f41b81a789ce9123b9265548f6a9c0e3ce1851e7
Opcode Fuzzy Hash: 335eb344b9c4abeeb60c44fc9287172b13d7d8dae525adfb69c01f55bde3350d
Instruction Fuzzy Hash: C6215E70C00618AEDB20DF79C8987DEB7B4BF04324F508AD9D069DA1C0DB74AA85DF50

Function 6F898E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6F898E78
PathFindExtensionW.SHLWAPI(?), ref: 6F898E8E

Part of subcall function 6F898BDF: __EH_prolog3_GS.LIBCMT ref: 6F898BE9
Part of subcall function 6F898BDF: GetModuleHandleW.KERNEL32(kernel32.dll,00000260,6F898EB7,?,?), ref: 6F898C19
Part of subcall function 6F898BDF: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6F898C2D
Part of subcall function 6F898BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6F898C69
Part of subcall function 6F898BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6F898C77
Part of subcall function 6F898BDF: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6F898C94
Part of subcall function 6F898BDF: ConvertDefaultLocale.KERNEL32(?), ref: 6F898CBF
Part of subcall function 6F898BDF: ConvertDefaultLocale.KERNEL32(000003FF), ref: 6F898CC8
Part of subcall function 6F898BDF: GetModuleFileNameW.KERNEL32(6F890000,?,00000105), ref: 6F898D7F

Strings

%s%s.dll, xrefs: 6F898E99

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 7070c4be9feab31c39975f2ae80899b311d249fe1d1ef2816795a0a227f5d6c4
Instruction ID: c35de6250802dc90418a75006ee82d723f8c2937437a2df95cae25de4a90562c
Opcode Fuzzy Hash: 7070c4be9feab31c39975f2ae80899b311d249fe1d1ef2816795a0a227f5d6c4
Instruction Fuzzy Hash: BF01A272A19519ABCB05CB6CD885DEFB3B9EF49310F4108E9A505EB140DB70DA05CB90

Function 6F8AC53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6F8A5017: __getptd.LIBCMT ref: 6F8A501D
Part of subcall function 6F8A5017: __getptd.LIBCMT ref: 6F8A502D

__getptd.LIBCMT ref: 6F8AC54B

Part of subcall function 6F8AA27F: __getptd_noexit.LIBCMT ref: 6F8AA282
Part of subcall function 6F8AA27F: __amsg_exit.LIBCMT ref: 6F8AA28F

__getptd.LIBCMT ref: 6F8AC559

Strings

csm, xrefs: 6F8AC567

Memory Dump Source

Source File: 00000009.00000002.2032578642.000000006F891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6F890000, based on PE: true

Associated: 00000009.00000002.2032559424.000000006F890000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2032708604.000000006F8C5000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6f890000_DZIPR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
Instruction ID: ae8307d6689507e5f21b22e03b979e3806f03b50c6e52e99ded46e3b5f1c6c8c
Opcode Fuzzy Hash: a711b0bedc9af858f1a86284ce073587ea150faf51f5d3325d337f2bcfad7745
Instruction Fuzzy Hash: 44014B74804305EBCF288F65C84069EBBB5FF11211F504CAFE4509E6A2EB32EA90DF41

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report epht1Y3TGZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\a1ba81aa

C:\Users\user\AppData\Local\Temp\ae0a7065

C:\Users\user\AppData\Local\Temp\b8f7a7f7

C:\Users\user\AppData\Local\Temp\fsfj

C:\Users\user\AppData\Local\Temp\iikbjmsy

C:\Users\user\AppData\Local\Temp\mtdwpx

C:\Users\user\AppData\Local\Temp\oahisshhqlvln

C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll

C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe

C:\Users\user\AppData\Roaming\Ruy_driverv2\ekqqtq

Windows Analysis Report
epht1Y3TGZ.exe