Edit tour

Windows Analysis Report
z25RFQ945894-PDF.exe

Overview

General Information

Sample name:	z25RFQ945894-PDF.exe
Analysis ID:	1522581
MD5:	6cfb2ab5bfb52347d141ab2a82ab9ab2
SHA1:	cdc4e03046d770a589e09ec9e9ba56f16afce2f5
SHA256:	97aed74a1556b5b96eacd10c8ba1e206036d8f6fc35fab882689566c8c16aa6b
Tags:	exeuser-Porcupine
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

z25RFQ945894-PDF.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\z25RFQ945894-PDF.exe" MD5: 6CFB2AB5BFB52347D141AB2A82AB9AB2)

RegSvcs.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\z25RFQ945894-PDF.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.zqamcx.com", "Username": "kingship@zqamcx.com", "Password": "Methodman991"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2894103472.0000000003308000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2893009529.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2893009529.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x333b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33427:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x334b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33543:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x335ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3361f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x336b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33745:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.2894103472.0000000003291000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2894103472.0000000003291000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: z25RFQ945894-PDF.exe PID: 7432	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: z25RFQ945894-PDF.exe PID: 7432	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7448	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7448	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.z25RFQ945894-PDF.exe.1160000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z25RFQ945894-PDF.exe.1160000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.z25RFQ945894-PDF.exe.1160000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x315b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31627:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x316b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31743:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x317ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3181f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x318b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31945:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x333b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33427:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x334b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33543:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x335ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3361f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x336b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33745:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x333b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33427:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x334b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33543:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x335ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3361f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x336b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33745:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 78.110.166.82, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7448, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.zqamcx.com", "Username": "kingship@zqamcx.com", "Password": "Methodman991"}

Multi AV Scanner detection for domain / URL

Source: zqamcx.com	Virustotal: Detection: 9%	Perma Link
Source: mail.zqamcx.com	Virustotal: Detection: 9%	Perma Link
Source: http://zqamcx.com	Virustotal: Detection: 9%	Perma Link
Source: http://mail.zqamcx.com	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for submitted file

Source: z25RFQ945894-PDF.exe	ReversingLabs: Detection: 18%
Source: z25RFQ945894-PDF.exe	Virustotal: Detection: 16%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: z25RFQ945894-PDF.exe

Joe Sandbox ML: detected

Source: z25RFQ945894-PDF.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: z25RFQ945894-PDF.exe, 00000000.00000003.1659802907.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, z25RFQ945894-PDF.exe, 00000000.00000003.1660041474.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: z25RFQ945894-PDF.exe, 00000000.00000003.1659802907.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, z25RFQ945894-PDF.exe, 00000000.00000003.1660041474.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0028449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0028449B
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0028C75D FindFirstFileW,FindClose,	0_2_0028C75D
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0028C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0028C7E8
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0028F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0028F021
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0028F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0028F17E
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0028F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0028F47F
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00283833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00283833
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00283B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00283B56
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0028BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0028BD48

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 78.110.166.82:587

Source: Joe Sandbox View

IP Address: 78.110.166.82 78.110.166.82

Source: Joe Sandbox View

ASN Name: UKSERVERS-ASUKDedicatedServersHostingandCo-Location UKSERVERS-ASUKDedicatedServersHostingandCo-Location

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 78.110.166.82:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00292404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00292404

Source: global traffic	DNS traffic detected: DNS query: mail.zqamcx.com
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.zqamcx.com
Source: RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893472088.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2895612844.0000000006730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0#
Source: RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893472088.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2895612844.0000000006730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893472088.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2895612844.0000000006730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893472088.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2895612844.0000000006730000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zqamcx.com
Source: z25RFQ945894-PDF.exe, 00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893009529.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, aXzTh9Yxb3.cs

.Net Code: lwNQNyMpCNT

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_0029407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0029407C

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_0029427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0029427A

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

0_2_0029407C

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_0028003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0028003A

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_002ACB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_002ACB26

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00223B4C
Source: z25RFQ945894-PDF.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: z25RFQ945894-PDF.exe, 00000000.00000000.1649028235.00000000002D4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_329ecbec-7
Source: z25RFQ945894-PDF.exe, 00000000.00000000.1649028235.00000000002D4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_2e1c2cfb-0
Source: z25RFQ945894-PDF.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6ae2466a-f
Source: z25RFQ945894-PDF.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_85e6a7c8-5

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: z25RFQ945894-PDF.exe

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_0028A279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0028A279

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00278638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00278638

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00285264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00285264

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0022E800	0_2_0022E800
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0024DAF5	0_2_0024DAF5
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0022FE40	0_2_0022FE40
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0022E060	0_2_0022E060
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00234140	0_2_00234140
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00242345	0_2_00242345
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_002A0465	0_2_002A0465
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00256452	0_2_00256452
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_002525AE	0_2_002525AE
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0024277A	0_2_0024277A
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00236841	0_2_00236841
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_002A08E2	0_2_002A08E2
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0027E928	0_2_0027E928
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00288932	0_2_00288932
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0025890F	0_2_0025890F
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00238968	0_2_00238968
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_002569C4	0_2_002569C4
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0024CCA1	0_2_0024CCA1
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00256F36	0_2_00256F36
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_002370FE	0_2_002370FE
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00233190	0_2_00233190
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00221287	0_2_00221287
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00243307	0_2_00243307
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0024F359	0_2_0024F359
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00241604	0_2_00241604
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00235680	0_2_00235680
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00247813	0_2_00247813
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_002358C0	0_2_002358C0
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00241AF8	0_2_00241AF8
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00259C35	0_2_00259C35
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_002A7E0D	0_2_002A7E0D
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0024BF26	0_2_0024BF26
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00241F10	0_2_00241F10
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0123FEC0	0_2_0123FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_018F9360	1_2_018F9360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_018F9B18	1_2_018F9B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_018F4A88	1_2_018F4A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_018FCE68	1_2_018FCE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_018F3E70	1_2_018F3E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_018F41B8	1_2_018F41B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05D7DD90	1_2_05D7DD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05D78C18	1_2_05D78C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05D79B68	1_2_05D79B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05D7BD88	1_2_05D7BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05D75750	1_2_05D75750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05D73F30	1_2_05D73F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05D749D8	1_2_05D749D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05D75058	1_2_05D75058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05D70040	1_2_05D70040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05D72B08	1_2_05D72B08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05D73230	1_2_05D73230

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: String function: 00227F41 appears 35 times
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: String function: 00248A80 appears 42 times
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: String function: 00240C63 appears 70 times

Source: z25RFQ945894-PDF.exe, 00000000.00000003.1660588784.0000000003BF3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs z25RFQ945894-PDF.exe
Source: z25RFQ945894-PDF.exe, 00000000.00000003.1660149230.0000000003D9D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs z25RFQ945894-PDF.exe
Source: z25RFQ945894-PDF.exe, 00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed50456b9-4259-4a06-b7ec-7664f0d171dc.exe4 vs z25RFQ945894-PDF.exe

Source: z25RFQ945894-PDF.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, oH693OIIGFg.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, 1jwN8Qsp0hs.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, BOM.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, SN5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, cpjKUanB.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, IicScPhBvUG.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, dyn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, dyn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, dyn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, dyn.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/1

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_0028A0F4 GetLastError,FormatMessageW,

0_2_0028A0F4

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_002784F3 AdjustTokenPrivileges,CloseHandle,		0_2_002784F3
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00278AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00278AA3

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_0028B3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0028B3BF

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_0029EF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0029EF21

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_0028C423 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0028C423

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00224FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00224FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

File created: C:\Users\user\AppData\Local\Temp\autA113.tmp

Jump to behavior

Source: z25RFQ945894-PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z25RFQ945894-PDF.exe	ReversingLabs: Detection: 18%
Source: z25RFQ945894-PDF.exe	Virustotal: Detection: 16%

Source: unknown	Process created: C:\Users\user\Desktop\z25RFQ945894-PDF.exe "C:\Users\user\Desktop\z25RFQ945894-PDF.exe"
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z25RFQ945894-PDF.exe"
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z25RFQ945894-PDF.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: z25RFQ945894-PDF.exe

Static file information: File size 1049600 > 1048576

Source: z25RFQ945894-PDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: z25RFQ945894-PDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: z25RFQ945894-PDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: z25RFQ945894-PDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: z25RFQ945894-PDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: z25RFQ945894-PDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: z25RFQ945894-PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: z25RFQ945894-PDF.exe, 00000000.00000003.1659802907.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, z25RFQ945894-PDF.exe, 00000000.00000003.1660041474.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: z25RFQ945894-PDF.exe, 00000000.00000003.1659802907.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, z25RFQ945894-PDF.exe, 00000000.00000003.1660041474.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp

Source: z25RFQ945894-PDF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: z25RFQ945894-PDF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: z25RFQ945894-PDF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: z25RFQ945894-PDF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: z25RFQ945894-PDF.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_0029C104 LoadLibraryA,GetProcAddress,

0_2_0029C104

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00288538 push FFFFFF8Bh; iretd	0_2_0028853A
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0022C590 push eax; retn 0022h	0_2_0022C599
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0024E88F push edi; ret	0_2_0024E891
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0024E9A8 push esi; ret	0_2_0024E9AA
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00248AC5 push ecx; ret	0_2_00248AD8
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0024EB83 push esi; ret	0_2_0024EB85
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0024EC6C push edi; ret	0_2_0024EC6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_018F6341 push E8000009h; ret	1_2_018F6369

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00224A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00224A35
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_002A53DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_002A53DF

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00243307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00243307

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

API/Special instruction interceptor: Address: 123FAE4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 633			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4872			Jump to behavior

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-98394

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

API coverage: 4.5 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0028449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0028449B
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0028C75D FindFirstFileW,FindClose,	0_2_0028C75D
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0028C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0028C7E8
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0028F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0028F021
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0028F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0028F17E
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0028F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0028F47F
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00283833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00283833
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00283B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00283B56
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0028BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0028BD48

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00224AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00224AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99529	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98151	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98034	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97743	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.2895612844.0000000006730000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

API call chain: ExitProcess graph end node

graph_0-96873

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_0029401F BlockInput,

0_2_0029401F

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00223B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00223B4C

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00255BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00255BFC

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_0029C104 LoadLibraryA,GetProcAddress,

0_2_0029C104

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0123E6E0 mov eax, dword ptr fs:[00000030h]	0_2_0123E6E0
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0123FD50 mov eax, dword ptr fs:[00000030h]	0_2_0123FD50
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0123FDB0 mov eax, dword ptr fs:[00000030h]	0_2_0123FDB0

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_002781D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_002781D4

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0024A2A4 SetUnhandledExceptionFilter,		0_2_0024A2A4
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0024A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0024A2D5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11EE008

Jump to behavior

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00278A73 LogonUserW,

0_2_00278A73

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00223B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00223B4C

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00224A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00224A35

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00284CFA mouse_event,

0_2_00284CFA

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z25RFQ945894-PDF.exe"

Jump to behavior

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

0_2_002781D4

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00284A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00284A08

Source: z25RFQ945894-PDF.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: z25RFQ945894-PDF.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_002487AB cpuid

0_2_002487AB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00255007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00255007

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_0026215F GetUserNameW,

0_2_0026215F

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_002540BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_002540BA

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe

Code function: 0_2_00224AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00224AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.z25RFQ945894-PDF.exe.1160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2894103472.0000000003308000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2893009529.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2894103472.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z25RFQ945894-PDF.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7448, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: z25RFQ945894-PDF.exe	Binary or memory string: WIN_81
Source: z25RFQ945894-PDF.exe	Binary or memory string: WIN_XP
Source: z25RFQ945894-PDF.exe	Binary or memory string: WIN_XPe
Source: z25RFQ945894-PDF.exe	Binary or memory string: WIN_VISTA
Source: z25RFQ945894-PDF.exe	Binary or memory string: WIN_7
Source: z25RFQ945894-PDF.exe	Binary or memory string: WIN_8
Source: z25RFQ945894-PDF.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.z25RFQ945894-PDF.exe.1160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2893009529.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2894103472.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z25RFQ945894-PDF.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7448, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.z25RFQ945894-PDF.exe.1160000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z25RFQ945894-PDF.exe.1160000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2894103472.0000000003308000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2893009529.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2894103472.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z25RFQ945894-PDF.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7448, type: MEMORYSTR

Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_00296399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00296399
Source: C:\Users\user\Desktop\z25RFQ945894-PDF.exe	Code function: 0_2_0029685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0029685D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Virtualization/Sandbox Evasion	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
z25RFQ945894-PDF.exe	18%	ReversingLabs
z25RFQ945894-PDF.exe	16%	Virustotal	Browse
z25RFQ945894-PDF.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
zqamcx.com	9%	Virustotal	Browse
15.164.165.52.in-addr.arpa	0%	Virustotal	Browse
mail.zqamcx.com	9%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://account.dyn.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://zqamcx.com	9%	Virustotal		Browse
http://mail.zqamcx.com	9%	Virustotal		Browse
http://r11.i.lencr.org/0#	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
zqamcx.com	78.110.166.82	true	true	9%, Virustotal, Browse	unknown
15.164.165.52.in-addr.arpa	unknown	unknown	false	0%, Virustotal, Browse	unknown
mail.zqamcx.com	unknown	unknown	true	9%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.zqamcx.com	RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	true	9%, Virustotal, Browse	unknown
http://zqamcx.com	RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	true	9%, Virustotal, Browse	unknown
https://account.dyn.com/	z25RFQ945894-PDF.exe, 00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893009529.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r11.o.lencr.org0#	RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893472088.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2895612844.0000000006730000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://r11.i.lencr.org/0#	RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893472088.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2895612844.0000000006730000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://x1.c.lencr.org/0	RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893472088.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2895612844.0000000006730000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	RegSvcs.exe, 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2893472088.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2895612844.0000000006730000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
78.110.166.82	zqamcx.com	United Kingdom		42831	UKSERVERS-ASUKDedicatedServersHostingandCo-Location	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522581
Start date and time:	2024-09-30 11:57:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	z25RFQ945894-PDF.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 54 Number of non-executed functions: 270
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:57:58	API Interceptor	27x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
78.110.166.82	COB756883.vbs	Get hash	malicious	CobaltStrike	Browse	windowsupdatesolutions.com/ServerCOB.txt
	Ingreso_SII_Abril_2021.cmd	Get hash	malicious	Unknown	Browse	www.emolcl.com/namaste/puma.php
	Ingreso_SII_Abril_2021.cmd	Get hash	malicious	Unknown	Browse	www.emolcl.com/namaste/puma.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
zqamcx.com	eFatura_ETN2024000000575_Ekleri.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	SecuriteInfo.com.Win32.MalwareX-gen.16545.12050.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	DOC25082024.bat.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	Halkbank_Ekstre_20240826_081429_424889.bat.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UKSERVERS-ASUKDedicatedServersHostingandCo-Location	https://client31.webvalue.party/wp-content/uploads/weTranser_edited/weTranser_edited/index.php/	Get hash	malicious	Unknown	Browse	5.101.173.45
	https://client31.webvalue.party/wp-content/uploads/weTranser_edited/weTranser_edited/index.php?email%5C=3mail@b.c	Get hash	malicious	Unknown	Browse	5.101.173.45
	450230549.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	CCE_000110.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	https://qrplanet.com/smdv5p/	Get hash	malicious	Unknown	Browse	5.101.173.45
	22.09.2024-22.09.2024.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	FaturaHat#U0131rlatma.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	Payment_Release-Now cnesst.gouv.qc.ca.html	Get hash	malicious	Unknown	Browse	5.101.173.45
	Payment Advice.pdf.js	Get hash	malicious	Remcos	Browse	178.159.12.230
	eFatura_ETN2024000000575_Ekleri.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82

Process:	C:\Users\user\Desktop\z25RFQ945894-PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	154754
Entropy (8bit):	7.878459591650458
Encrypted:	false
SSDEEP:	1536:llg3ykDSbGulpuTtO6XzlB5YtLaz/G8+/Oe20xSD+QtVhUG4bt7YRRVMJ0K0v2Hr:llPyQpAt/hYFarxbJRsyfMuK1gh4V3i+
MD5:	6F3264F5C9F26E60D64A2811554F9DA4
SHA1:	2D6A5E2B34A13916E8DC131D15D182461FCEF972
SHA-256:	6DB18052CD5EEF9B5F6AC1A4056BC0EEA425C9306CDA2D72CAD4057BA98B127A
SHA-512:	DE231E39B83A4CE501DD7901F0BF3B1EBE39D654B2061503178418538177CB2A00FCA7AEA0B5B75CF6F749A67ECA6E027852F095E1522DCB752F67DC5738D470
Malicious:	false
Reputation:	low
Preview:	EA06.....[..Z.^qV.M)t...K..Uj.B.U...j,.E....`..D.R. .....g..8R%..}..E.^1U8.>....(7.4.7..'Q....%.Ml..u.'.X.3..v...J+SI...5.X..3.....^.6.Q.`...M)4.U..K..5j.`....]N.A..F.J@.....b@..J.U..Ff..Q.E..0...ne...f..-...8..4...&@.....uhh......p......R(4....c.......$.s...B...8.a)..@...:.U....\...U.T.lU....@..$............8\|....-h.K...=2.U.pv.....p...>............K......F...T..X%D.R..)tz.....\..5.\d.....3..>..j.......o.T.w=.q........a66Y-K...c+7\.;qH.rs....D..u<.W..z.W.z..Cj.Lvu..........7..=\|....U.Y........z.,..5.E6..6..!..os...u ...y....lh.....y..>....Z&....@.{t.Le.4...[.......b.p.B@..@@8.p..7.....8....l.Z..8Y......f....._.s.....7.........=..............46I..n.R.T..h..{U..n]q.Dw....k<.oj6i.....S+.J.N.W.U....ww..Y(u9.N.3......O..].7n.F....&.oN.%-..b1...v@1.C.U..F.Y.B.....M....8vv].^}5..j....+".L..I..)...b........U.......6..4J5..M..UMU..2.U'V.6BSa.Q..0...6..U+G..+.....@.p..(.i...C.R....RK}.U*rJ.B.A...h#.....S....6.G-PZ.V...Q&.......Q...LR.L..@...>.

C:\Users\user\AppData\Local\Temp\quinquenniad

Download File

Process:	C:\Users\user\Desktop\z25RFQ945894-PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	6.714326844933443
Encrypted:	false
SSDEEP:	6144:TIY/HWjbLhZwR2Fp+RXIT/Kgk4pyQSKLawCJBMd:TD/HsbLhZw8mYbBEHl/U
MD5:	81C3B015449965F5DBAD3D7F42C9318C
SHA1:	0B833B5B55FB25C59BA7922DCA216BFFDE404834
SHA-256:	D3D3DD0BEDF335145F609115E6B6A6BA94A58156A0B6B56309B7BF577BEC5D9B
SHA-512:	8E88D8663CDFCD1C0B9A44F038977C6187E022AE7AA61925E35F0620F0A511B67FF9F01ACC8CC0DF03219B4D0BB4359B1646041C01BDC1B03C0B27E2CA71F445
Malicious:	false
Reputation:	low
Preview:	.o.EBW8VB4KA..LK.2RVBPTU.2PVE5PEAW8VF4KAADLKY2RVBPTUY2PVE5PE.W8VH+.OA.E.x.S..q.=0Ap&7Z77 :.5'Z%.5d..y@'8b9:u.}.v(Z4 oZ5\b4KAADLK.wRV.QWU6.F3E5PEAW8V.4I@JEGKY.QVBXTUY2PVK.SEAw8VF.HAAD.KY.RVBRTU]2PVE5PEEW8VF4KAADHKY0RVBPTU[2..E5@EAG8VF4[AATLKY2RVRPTUY2PVE5PE..;V.4KAA.OK.7RVBPTUY2PVE5PEAW8VF.HAMDLKY2RVBPTUY2PVE5PEAW8VF4KAADLKY2RVBPTUY2PVE5PEAW8VF.KAIDLKY2RVBPTUQ.PV.5PEAW8VF4KAo0)3-2RVV.WUY.PVE.SEAU8VF4KAADLKY2RVbPT5w@#$&5PE.R8VF.HAABLKY.QVBPTUY2PVE5PE.W8.hF.-.'LKU2RVB.WUY0PVE.SEAW8VF4KAADLK.2R.BPTUY2PVE5PEAW8V..HAADLK.2RV@PQU.RVU.QEBW8VG4KGADLKY2RVBPTUY2PVE5PEAW8VF4KAADLKY2RVBPTUY2PVE5PE\........9rA;5.p.7.V..C..L..N.-.= ...A....e%R..2.Yu..H...A.ID=M.....z0_$WZ.!j:1.\....j5...M7.(...g.\Vr.....q.....N5....F..!?9{8B : ..$'6J?.6.@ADLK.......0J..h6_[uE@...uV4...<PTU=2PV75PE W8V.4KA.DLK72RV<PTU'2PV.5PE.W8Vq4KAdDLK42RVfPTU'2PV.H_J...?5..AADLKl..f.=...m.a..s0.F.$.... ...hW.._<..q....^.<t.Qf Gb..LX4VS@WPVU.^...dCS<SD3OBMyB...w.v.`...4...-.F4KAAD.KY.RVB..U.2PV.5.E..8VF..A.D.K..V

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.990544688899181
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	z25RFQ945894-PDF.exe
File size:	1'049'600 bytes
MD5:	6cfb2ab5bfb52347d141ab2a82ab9ab2
SHA1:	cdc4e03046d770a589e09ec9e9ba56f16afce2f5
SHA256:	97aed74a1556b5b96eacd10c8ba1e206036d8f6fc35fab882689566c8c16aa6b
SHA512:	52d9f6ebd2c088d765d022bfdc037476cece11e63753be3a4aa7bbf0b2d824291d19ecd9aa70ccc503b9c4356ad929c47a4072cb0e65abc3ba0cad3faa359367
SSDEEP:	24576:VCdxte/80jYLT3U1jfsWaIsp0CL/rf6pQ:8w80cTsjkWaIs2GzV
TLSH:	4225BE2273DDC360CB769173BF6AB7012EBF78614630B95B2F880D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427f4a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FA5A85 [Mon Sep 30 08:00:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F9C68CCEC6Dh
jmp 00007F9C68CC1A34h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F9C68CC1BBAh
cmp edi, eax
jc 00007F9C68CC1F1Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F9C68CC1BB9h
rep movsb
jmp 00007F9C68CC1ECCh
cmp ecx, 00000080h
jc 00007F9C68CC1D84h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F9C68CC1BC0h
bt dword ptr [004BE324h], 01h
jc 00007F9C68CC2090h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F9C68CC1D5Dh
test edi, 00000003h
jne 00007F9C68CC1D6Eh
test esi, 00000003h
jne 00007F9C68CC1D4Dh
bt edi, 02h
jnc 00007F9C68CC1BBFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F9C68CC1BC3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F9C68CC1C15h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x37b30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xff000	0x7130	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dd2e	0x8de00	c2c2260508750422d20cd5cbb116b146	False	0.5729952505506608	data	6.675875439961112	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	4513b58651e3d8d87c81a396e5b2f1d1	False	0.3353340955284553	OpenPGP Public Key	5.760731648769018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	c2de4a3d214eae7e87c7bfc06bd79775	False	0.1017530487804878	data	1.1988106744719143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x37b30	0x37c00	af246e57eba4fcebef615b6dd3284c1c	False	0.8817702494394619	data	7.780310717022067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xff000	0x7130	0x7200	1254908a9a03d2bcf12045d49cd572b9	False	0.7703536184210527	data	6.782377328042204	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x2edf7	data			1.0003437661140366
RT_GROUP_ICON	0xfe5b0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xfe628	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xfe63c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xfe650	0x14	data	English	Great Britain	1.25
RT_VERSION	0xfe664	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xfe740	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 11:57:59.643127918 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:57:59.648106098 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:57:59.648190975 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:00.294986963 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:00.296169996 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:00.301047087 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:00.463068008 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:00.463265896 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:00.469660044 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:00.634809971 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:00.642335892 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:00.647222996 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:00.996187925 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:00.996277094 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:00.996329069 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:00.996342897 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:00.996385098 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:00.996434927 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:01.024333000 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:01.029246092 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:01.190937042 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:01.208976030 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:01.213860035 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:01.375519991 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:01.384594917 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:01.389422894 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:01.550925016 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:01.554599047 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:01.559482098 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:01.748342037 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:01.754344940 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:01.759278059 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:01.921029091 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:01.921408892 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:01.926378012 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:02.095078945 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:02.095372915 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:02.100356102 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:02.261939049 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:02.266710997 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:02.266753912 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:02.266774893 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:02.266791105 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:58:02.271773100 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:02.271817923 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:02.271868944 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:02.567447901 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:58:02.615195036 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:59:39.412558079 CEST	49730	587	192.168.2.4	78.110.166.82
Sep 30, 2024 11:59:39.417604923 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:59:39.579550028 CEST	587	49730	78.110.166.82	192.168.2.4
Sep 30, 2024 11:59:39.583676100 CEST	49730	587	192.168.2.4	78.110.166.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 11:57:59.385919094 CEST	59600	53	192.168.2.4	1.1.1.1
Sep 30, 2024 11:57:59.635849953 CEST	53	59600	1.1.1.1	192.168.2.4
Sep 30, 2024 11:58:29.608107090 CEST	53	56454	162.159.36.2	192.168.2.4
Sep 30, 2024 11:58:30.100816011 CEST	62417	53	192.168.2.4	1.1.1.1
Sep 30, 2024 11:58:30.108664036 CEST	53	62417	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 11:57:59.385919094 CEST	192.168.2.4	1.1.1.1	0x7bb6	Standard query (0)	mail.zqamcx.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 11:58:30.100816011 CEST	192.168.2.4	1.1.1.1	0x8820	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 11:57:59.635849953 CEST	1.1.1.1	192.168.2.4	0x7bb6	No error (0)	mail.zqamcx.com	zqamcx.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 11:57:59.635849953 CEST	1.1.1.1	192.168.2.4	0x7bb6	No error (0)	zqamcx.com		78.110.166.82	A (IP address)	IN (0x0001)	false
Sep 30, 2024 11:58:30.108664036 CEST	1.1.1.1	192.168.2.4	0x8820	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 30, 2024 11:58:00.294986963 CEST	587	49730	78.110.166.82	192.168.2.4	220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Mon, 30 Sep 2024 10:58:00 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 30, 2024 11:58:00.296169996 CEST	49730	587	192.168.2.4	78.110.166.82	EHLO 216865
Sep 30, 2024 11:58:00.463068008 CEST	587	49730	78.110.166.82	192.168.2.4	250-cphost14.qhoster.net Hello 216865 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Sep 30, 2024 11:58:00.463265896 CEST	49730	587	192.168.2.4	78.110.166.82	STARTTLS
Sep 30, 2024 11:58:00.634809971 CEST	587	49730	78.110.166.82	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	05:57:56
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\z25RFQ945894-PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z25RFQ945894-PDF.exe"
Imagebase:	0x220000
File size:	1'049'600 bytes
MD5 hash:	6CFB2AB5BFB52347D141AB2A82AB9AB2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1664669287.0000000001160000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:57:57
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z25RFQ945894-PDF.exe"
Imagebase:	0xf20000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2894103472.00000000032DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2894103472.0000000003308000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2893009529.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2893009529.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2894103472.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2894103472.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	6.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	74

Executed Functions

Function 00223B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00223B7A
IsDebuggerPresent.KERNEL32 ref: 00223B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,002E52F8,002E52E0,?,?), ref: 00223BFD

Part of subcall function 00227D2C: _memmove.LIBCMT ref: 00227D66

Part of subcall function 00230A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00223C26,002E52F8,?,?,?), ref: 00230ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00223C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,002D7770,00000010), ref: 0025D3EC
SetCurrentDirectoryW.KERNEL32(?,002E52F8,?,?,?), ref: 0025D424
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,002D4260,002E52F8,?,?,?), ref: 0025D4AA
ShellExecuteW.SHELL32(00000000,?,?), ref: 0025D4B1

Part of subcall function 00223A58: GetSysColorBrush.USER32(0000000F), ref: 00223A62
Part of subcall function 00223A58: LoadCursorW.USER32(00000000,00007F00), ref: 00223A71
Part of subcall function 00223A58: LoadIconW.USER32(00000063), ref: 00223A88
Part of subcall function 00223A58: LoadIconW.USER32(000000A4), ref: 00223A9A
Part of subcall function 00223A58: LoadIconW.USER32(000000A2), ref: 00223AAC
Part of subcall function 00223A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00223AD2
Part of subcall function 00223A58: RegisterClassExW.USER32(?), ref: 00223B28

Part of subcall function 002239E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00223A15
Part of subcall function 002239E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00223A36
Part of subcall function 002239E7: ShowWindow.USER32(00000000,?,?), ref: 00223A4A
Part of subcall function 002239E7: ShowWindow.USER32(00000000,?,?), ref: 00223A53

Part of subcall function 002243DB: _memset.LIBCMT ref: 00224401
Part of subcall function 002243DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002244A6

Strings

runas, xrefs: 0025D4A5
This is a third-party compiled AutoIt script., xrefs: 0025D3E4
%+, xrefs: 00223C56

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%+
API String ID: 529118366-83704245
Opcode ID: 5f494c49665d3dc105f5d58ab4b3a6a9d9c80f47f5ca242e087fb3707aedc61a
Instruction ID: 2ff53284a8ca578aed45a9fef7ff814918540f4f463e56eb301e871a3bf49517
Opcode Fuzzy Hash: 5f494c49665d3dc105f5d58ab4b3a6a9d9c80f47f5ca242e087fb3707aedc61a
Instruction Fuzzy Hash: 775107309782A9BBCF11EBF4FC49AED7B74AB05304B0041A6FD517A161DA784A65CF21

Function 00224FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00224EEE,?,?,00000000,00000000), ref: 00224FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00224EEE,?,?,00000000,00000000), ref: 00225010
LoadResource.KERNEL32(?,00000000,?,?,00224EEE,?,?,00000000,00000000,?,?,?,?,?,?,00224F8F), ref: 0025DC90
SizeofResource.KERNEL32(?,00000000,?,?,00224EEE,?,?,00000000,00000000,?,?,?,?,?,?,00224F8F), ref: 0025DCA5
LockResource.KERNEL32(N",?,?,00224EEE,?,?,00000000,00000000,?,?,?,?,?,?,00224F8F,00000000), ref: 0025DCB8

Strings

N", xrefs: 0025DCB5
SCRIPT, xrefs: 00225006

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$N"
API String ID: 3051347437-927132664
Opcode ID: 55ead24a4528d7af98df7df5e9625189617e73c91439426225f6202c784b9630
Instruction ID: 0b3009284320cc8462b6fa953e0975cc34fd26e58fb53087c5ab0a3bbccd4bc0
Opcode Fuzzy Hash: 55ead24a4528d7af98df7df5e9625189617e73c91439426225f6202c784b9630
Instruction Fuzzy Hash: 07115E75250711BFD7218BA5ED48F777BB9EBCAB11F108168F805C6250DBB1EC108660

Function 00224AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00224B2B

Part of subcall function 00227D2C: _memmove.LIBCMT ref: 00227D66

GetCurrentProcess.KERNEL32(?,002AFAEC,00000000,00000000,?), ref: 00224BF8
IsWow64Process.KERNEL32(00000000), ref: 00224BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00224C45
FreeLibrary.KERNEL32(00000000), ref: 00224C50
GetSystemInfo.KERNEL32(00000000), ref: 00224C81
GetSystemInfo.KERNEL32(00000000), ref: 00224C8D

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 442c462d079df06fb41da0ae6fa712cfbfe29429b700431050a113da7f2afd6a
Instruction ID: 0c6c5cfb3d9883b0ae6420f83c176b6da6ea75b7e7ec647e1be304ba652fe0d4
Opcode Fuzzy Hash: 442c462d079df06fb41da0ae6fa712cfbfe29429b700431050a113da7f2afd6a
Instruction Fuzzy Hash: DD91283196A7D1EEC731DFA8A5511AAFFE5AF26300B444E5EE4CB43A01D630E918C71D

Function 0022FE40 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pb., xrefs: 00264D12
%+, xrefs: 0022FE53

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: BuffCharUpper
String ID: pb.$%+
API String ID: 3964851224-3783737210
Opcode ID: 714340440766e3425a35a27f0af3b8d802f609b61097e925653d019a6bc9d6dc
Instruction ID: 9d13df7d20ee4f041c8b4aa55bb12f06d67cfa28d78d3038ea9f3bd1af1db5f4
Opcode Fuzzy Hash: 714340440766e3425a35a27f0af3b8d802f609b61097e925653d019a6bc9d6dc
Instruction Fuzzy Hash: 9C927BB06283519FD724DF14C490B2ABBE1BF88304F14896DE98A8B751D771ECA5CF92

Function 0022E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dd., xrefs: 0022EC21
Dd., xrefs: 00263E87
Dd., xrefs: 00263E4E
Variable must be of type 'Object'., xrefs: 002641BB
Dd., xrefs: 0022EC1A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID: Dd.$Dd.$Dd.$Dd.$Variable must be of type 'Object'.
API String ID: 0-4147315530
Opcode ID: 36309f306056434c7366421b189939286e68b5f096308728819e5c5bc2a070f0
Instruction ID: ac6b790672e7feb82a1f8756c6a85740539ccae679644cf340b66564c56ab844
Opcode Fuzzy Hash: 36309f306056434c7366421b189939286e68b5f096308728819e5c5bc2a070f0
Instruction Fuzzy Hash: 98A2C274A20226EFCF24CF94E484AADB7B1FF58300F658069E9059B351D771EDA2DB90

Function 0028449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0025E6F1), ref: 002844AB
FindFirstFileW.KERNELBASE(?,?), ref: 002844BC
FindClose.KERNEL32(00000000), ref: 002844CC

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: f1b39e15d03dddf018ca10747bc0882d2325292eee58a99b64d7e1711ddffe94
Instruction ID: f7fb55577b4fa737bb33890a639ebb245b138a5a8891155887370bc10671db63
Opcode Fuzzy Hash: f1b39e15d03dddf018ca10747bc0882d2325292eee58a99b64d7e1711ddffe94
Instruction Fuzzy Hash: 0EE0D835821402575210BB78FC0D5E9779CAE06335F100715F935C10D0EB786D208695

Function 00230B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00230BBB
timeGetTime.WINMM ref: 00230E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00230FB3
Sleep.KERNEL32(0000000A), ref: 00230FC1
LockWindowUpdate.USER32(00000000,?,?), ref: 0023105A
DestroyWindow.USER32 ref: 00231066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00231080
Sleep.KERNEL32(0000000A,?,?), ref: 002651DC
TranslateMessage.USER32(?), ref: 00265FB9
DispatchMessageW.USER32(?), ref: 00265FC7
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00265FDB

Strings

@GUI_CTRLHANDLE, xrefs: 0026533D
pb., xrefs: 0026535C
@GUI_WINHANDLE, xrefs: 002652E8
pb., xrefs: 002652B2
pb., xrefs: 00265307
pb., xrefs: 00265B0D
@TRAY_ID, xrefs: 00265AE8
@COM_EVENTOBJ, xrefs: 00265849
@GUI_CTRLID, xrefs: 00265293

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb.$pb.$pb.$pb.
API String ID: 4212290369-486499698
Opcode ID: e4a369438295388ae0aa35c79764077388aa12345738b5321f459b7285349b87
Instruction ID: e831ac6ef805783213c33298639e4dc768ae986ccf18909800063b9887507a7d
Opcode Fuzzy Hash: e4a369438295388ae0aa35c79764077388aa12345738b5321f459b7285349b87
Instruction Fuzzy Hash: AFB20670628752DFD724DF24C898BAAB7E5BF84304F14491DF48A87291DB71E8A4CF92

Function 002891FE Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00289008: __time64.LIBCMT ref: 00289012

Part of subcall function 00225045: _fseek.LIBCMT ref: 0022505D

__wsplitpath.LIBCMT ref: 002892DD

Part of subcall function 0024426E: __wsplitpath_helper.LIBCMT ref: 002442AE

_wcscpy.LIBCMT ref: 002892F0
_wcscat.LIBCMT ref: 00289303
__wsplitpath.LIBCMT ref: 00289328
_wcscat.LIBCMT ref: 0028933E
_wcscat.LIBCMT ref: 00289351

Part of subcall function 0028904E: _memmove.LIBCMT ref: 00289087
Part of subcall function 0028904E: _memmove.LIBCMT ref: 00289096

_wcscmp.LIBCMT ref: 00289298

Part of subcall function 002897DD: _wcscmp.LIBCMT ref: 002898CD
Part of subcall function 002897DD: _wcscmp.LIBCMT ref: 002898E0

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002894FB
_wcsncpy.LIBCMT ref: 0028956E
DeleteFileW.KERNEL32(?,?), ref: 002895A4
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002895BA
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002895CB
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002895DD

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: dbb5735e487bfa8964e45edc5df26dc2bb3c14dedb1ee60ae6fa79095ba1bc14
Instruction ID: ea215fac5b914aeba51640070e3df9377b30ade326b990fecc6a24cf4e01e536
Opcode Fuzzy Hash: dbb5735e487bfa8964e45edc5df26dc2bb3c14dedb1ee60ae6fa79095ba1bc14
Instruction Fuzzy Hash: 5AC16DB5D11129ABDF21EF95CC85AEEB7BCEF45300F0440A6F609E7181DB709A948F64

Function 00223017 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 70
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00223074
RegisterClassExW.USER32(00000030), ref: 0022309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002230AF
InitCommonControlsEx.COMCTL32(?), ref: 002230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002230DC
LoadIconW.USER32(000000A9), ref: 002230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00223101

Strings

AutoIt v3 GUI, xrefs: 00223090
0, xrefs: 00223056
+, xrefs: 0022305D
TaskbarCreated, xrefs: 002230A4

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e510d2c036e13a436b1d24983c462e605b82e5f87a5b79012fab2d1899d32dd0
Instruction ID: ea0bb2c7f4683700896c1e496b30bd01d38933e4bab3174c706a30c7c3e6c629
Opcode Fuzzy Hash: e510d2c036e13a436b1d24983c462e605b82e5f87a5b79012fab2d1899d32dd0
Instruction Fuzzy Hash: BA316BB1890355AFDB50CFE4ED886DDBBF0FB0A314F14412AE580EA2A0D7B90581CF50

Function 00223041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00223074
RegisterClassExW.USER32(00000030), ref: 0022309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002230AF
InitCommonControlsEx.COMCTL32(?), ref: 002230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002230DC
LoadIconW.USER32(000000A9), ref: 002230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00223101

Strings

AutoIt v3 GUI, xrefs: 00223090
0, xrefs: 00223056
+, xrefs: 0022305D
TaskbarCreated, xrefs: 002230A4

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cb972e38c0dd281265d25758d12d03812cbfe2373c3d12ff9e4d69b4812c2197
Instruction ID: 44021bd185e973fe538cab0e820c95fe0733b719d5b1fec3e66c6ee34d412d2a
Opcode Fuzzy Hash: cb972e38c0dd281265d25758d12d03812cbfe2373c3d12ff9e4d69b4812c2197
Instruction Fuzzy Hash: EA21E8B1950268AFDB40DFE4FD8CB9DBBF4FB09704F00412AFA10AA2A0DBB545448F91

Function 002271EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00224864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002E52F8,?,002237C0,?), ref: 00224882

Part of subcall function 0024068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,002272C5), ref: 002406AD

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00227308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0025EC21
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0025EC62
RegCloseKey.ADVAPI32(?), ref: 0025ECA0
_wcscat.LIBCMT ref: 0025ECF9

Strings

Software\AutoIt v3\AutoIt, xrefs: 002272FE
\Include\, xrefs: 002272C5
\, xrefs: 0025ED1C
Include, xrefs: 0025EC18, 0025EC59

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 4adeb3f3234925eb78658ad5454e2a33f98c2f0c19b8321ebd5d007834a9950b
Instruction ID: 7f98036f1709cc5f562537826b31e67d8b366a134c14b9b8951672e4385debdd
Opcode Fuzzy Hash: 4adeb3f3234925eb78658ad5454e2a33f98c2f0c19b8321ebd5d007834a9950b
Instruction Fuzzy Hash: 1671B071469341AEC704DF65FC8999BBBE8FFA5390F40082EF9448B160EB309958CF55

Function 00223633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 002236D2
KillTimer.USER32(?,00000001), ref: 002236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0022371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0022372A
CreatePopupMenu.USER32 ref: 0022373E
PostQuitMessage.USER32(00000000), ref: 0022375F

Strings

%+, xrefs: 0025D201, 0025D24F
TaskbarCreated, xrefs: 00223725

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%+
API String ID: 129472671-3833644150
Opcode ID: 6509f44f52793cf9131feb0ebc68f1a8e4eb3095183568fea1af5f7419b196be
Instruction ID: e751c9a76ab09f2ed81ea28f2f6abad306152e7b15906a7d8c8d73414df3e7fd
Opcode Fuzzy Hash: 6509f44f52793cf9131feb0ebc68f1a8e4eb3095183568fea1af5f7419b196be
Instruction Fuzzy Hash: 104125B1270566BBDF20EFE4FD4DB797658EB00300F100125FA468A2A2CAB99A749765

Function 00223A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00223A62
LoadCursorW.USER32(00000000,00007F00), ref: 00223A71
LoadIconW.USER32(00000063), ref: 00223A88
LoadIconW.USER32(000000A4), ref: 00223A9A
LoadIconW.USER32(000000A2), ref: 00223AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00223AD2
RegisterClassExW.USER32(?), ref: 00223B28

Part of subcall function 00223041: GetSysColorBrush.USER32(0000000F), ref: 00223074
Part of subcall function 00223041: RegisterClassExW.USER32(00000030), ref: 0022309E
Part of subcall function 00223041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002230AF
Part of subcall function 00223041: InitCommonControlsEx.COMCTL32(?), ref: 002230CC
Part of subcall function 00223041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002230DC
Part of subcall function 00223041: LoadIconW.USER32(000000A9), ref: 002230F2
Part of subcall function 00223041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00223101

Strings

0, xrefs: 00223B06
AutoIt v3, xrefs: 00223B17
#, xrefs: 00223B0D

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c08cf71e61fffed71141a45b183880d706a738152958d5dbd1fe962d913f7bda
Instruction ID: 2fc010c286d67cfeaee6d98d7523511d593e8c7f7b82f657e89575a53892f345
Opcode Fuzzy Hash: c08cf71e61fffed71141a45b183880d706a738152958d5dbd1fe962d913f7bda
Instruction Fuzzy Hash: 7E215E71DA0364AFDB10DFA4FD8DB9DBBB4FB08715F000129FA04AA2A1D7B546508F94

Function 00223778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 0022388F
CMDLINERAW, xrefs: 0022380D
/AutoIt3ExecuteScript, xrefs: 002238CE
R., xrefs: 0025D37E
/AutoIt3ExecuteLine, xrefs: 002238B9
CMDLINE, xrefs: 00223834
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 002237C0
/AutoIt3OutputDebug, xrefs: 002238A4

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R.
API String ID: 1825951767-1225404995
Opcode ID: 5a25355148a05eb0516b8c449422fab10a91d9f4679d6ee5a3277750e4e49482
Instruction ID: cedfb57b580b1a387f9d78b4297ea579193d1200668991df81db1dbda6da5172
Opcode Fuzzy Hash: 5a25355148a05eb0516b8c449422fab10a91d9f4679d6ee5a3277750e4e49482
Instruction Fuzzy Hash: 99A14F71930239AACB14EFE0EC959EEB7B8BF15300F44042AE516B7191DF785A69CF60

Function 0022F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002402E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00240313
Part of subcall function 002402E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 0024031B
Part of subcall function 002402E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00240326
Part of subcall function 002402E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00240331
Part of subcall function 002402E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00240339
Part of subcall function 002402E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00240341

Part of subcall function 00236259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0022FA90), ref: 002362B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0022FB2D
OleInitialize.OLE32(00000000), ref: 0022FBAA
CloseHandle.KERNEL32(00000000), ref: 00264921

Strings

S., xrefs: 0022F94B
%+, xrefs: 0022F8F6, 0022F908, 0022FACE, 0022FBB1
<W., xrefs: 0022FA90
\T., xrefs: 0022F957

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <W.$\T.$%+$S.
API String ID: 1986988660-2360567740
Opcode ID: d9e4ae7585f5921ce29b8a632211e2a7d07da0abf48cd8be03d56fe95032124b
Instruction ID: 82a37d65a5fab2011490e46cfb5edbd9bb852907609a662b49f33a1653b1a85f
Opcode Fuzzy Hash: d9e4ae7585f5921ce29b8a632211e2a7d07da0abf48cd8be03d56fe95032124b
Instruction Fuzzy Hash: F081D4B08B1AE08FC384DF69B9D8655BBE5FB4830E790416AD119CF2A1EB7044A4CF51

Function 0123EEA0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0123EF71
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0123F197

Memory Dump Source

Source File: 00000000.00000002.1664843641.000000000123C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0123C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123c000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
Instruction ID: 3f8747ca54e780e08832b8d36ba06f0563fe5532c6ff7bc480fea2b09b7fc96c
Opcode Fuzzy Hash: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
Instruction Fuzzy Hash: 31A15AB0E10209EBDB14CFA8D985BEEBBB5FF88304F208159E211BB280C7759A45CF55

Function 002239E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00223A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00223A36
ShowWindow.USER32(00000000,?,?), ref: 00223A4A
ShowWindow.USER32(00000000,?,?), ref: 00223A53

Strings

AutoIt v3, xrefs: 00223A0D, 00223A12, 00223A13
edit, xrefs: 00223A30

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b9d4d0a938408137b1d0ca56a82f957519accdabc4c30115c55708377b28502f
Instruction ID: 52fa859590dc739c203082681a69543507491b09776fa4ed664afdd87161fe13
Opcode Fuzzy Hash: b9d4d0a938408137b1d0ca56a82f957519accdabc4c30115c55708377b28502f
Instruction Fuzzy Hash: 9EF017706A02E07AEA605763BC8CE6B6E7DD7C7F54F00002ABE00AA171C6650850CAB0

Function 0123EC20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0123EB10: Sleep.KERNELBASE(000001F4), ref: 0123EB21

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0123ED8C

Strings

E5PEAW8VF4KAADLKY2RVBPTUY2PV, xrefs: 0123EDF2, 0123EDF5

Memory Dump Source

Source File: 00000000.00000002.1664843641.000000000123C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0123C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123c000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CreateFileSleep
String ID: E5PEAW8VF4KAADLKY2RVBPTUY2PV
API String ID: 2694422964-1656100517
Opcode ID: 53246c61a731197def88c9bb380960feeb1820e768b48162ff16b3c28efd7137
Instruction ID: 3389791b74aae2c76f800396044107d9f06a178a6f0c1ef648872d91b02c8208
Opcode Fuzzy Hash: 53246c61a731197def88c9bb380960feeb1820e768b48162ff16b3c28efd7137
Instruction Fuzzy Hash: 3A61B470D1428CDAEF11CBE8C8487EFBB75AF55304F004199E2487B2C1D7BA5A49CB66

Function 0022410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0025D51C

Part of subcall function 00227D2C: _memmove.LIBCMT ref: 00227D66

_memset.LIBCMT ref: 0022418D
_wcscpy.LIBCMT ref: 002241E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002241F1

Strings

Line: , xrefs: 0025D545

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: c16810ecd95be7d449be08d94918f6c93f98fab9535647cddafccf165d3d2e12
Instruction ID: 9c01db264d69d9070f169db093c331f65727a221ca66a9724bd7c1493c0d1944
Opcode Fuzzy Hash: c16810ecd95be7d449be08d94918f6c93f98fab9535647cddafccf165d3d2e12
Instruction Fuzzy Hash: 5231F57102C365BAD721EBE0FC46FDB77DCAF44304F10451AFA8896091EB74A668CB92

Function 0024558D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 002455EB
_memcpy_s.LIBCMT ref: 0024565D
__read_nolock.LIBCMT ref: 002456BB
__filbuf.LIBCMT ref: 002456DE
_memset.LIBCMT ref: 00245722

Part of subcall function 00248CA8: __getptd_noexit.LIBCMT ref: 00248CA8

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 85023550e632f3a2e029d8803ad8feb89e05da70391b4bd881aae18f065e9b73
Instruction ID: 59377e0bc4d5464c6a948a20c0b364ae413b7bbdacf392d52450a5a5b8e89615
Opcode Fuzzy Hash: 85023550e632f3a2e029d8803ad8feb89e05da70391b4bd881aae18f065e9b73
Instruction Fuzzy Hash: B251CB30A30B16DBDB2C9F69C88066DB7B6EF41320F644729F8A5962D2D7709D748F40

Function 002269CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00224F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00224F6F

_free.LIBCMT ref: 0025E5BC
_free.LIBCMT ref: 0025E603

Part of subcall function 00226BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00226D0D

Strings

Bad directive syntax error, xrefs: 0025E5EB
>>>AUTOIT SCRIPT<<<, xrefs: 0025E392

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 6998095f1ab589788d4a76a9e02e8c22f27d0f6b8359d30c44d72f5e56be1045
Instruction ID: cc132e5ba2dfbaa779717390a077e8c39f0221ef938730b0ecab88bbcb1e550b
Opcode Fuzzy Hash: 6998095f1ab589788d4a76a9e02e8c22f27d0f6b8359d30c44d72f5e56be1045
Instruction Fuzzy Hash: FC919371934229AFCF08EFA4D8919EDB7B4FF05314F144469F815AB2A1EB349A28CF54

Function 002235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002235A1,SwapMouseButtons,00000004,?), ref: 002235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002235A1,SwapMouseButtons,00000004,?,?,?,?,00222754), ref: 002235F5
RegCloseKey.KERNELBASE(00000000,?,?,002235A1,SwapMouseButtons,00000004,?,?,?,?,00222754), ref: 00223617

Strings

Control Panel\Mouse, xrefs: 002235D2

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 79f9b7d9781d01abd13049095802be0f7e82a1ae0b651b0d772968485a22f6c5
Instruction ID: 091167efe512af708ae90a718484e962e2b90b1530e629862a7864ed57c1ff6f
Opcode Fuzzy Hash: 79f9b7d9781d01abd13049095802be0f7e82a1ae0b651b0d772968485a22f6c5
Instruction Fuzzy Hash: 87114871A20228BFDB20CFA4EC44ABEB7BCEF05740F014469E805D7210E6B59E649B68

Function 0123DB10 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0123E33D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0123E361
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0123E383

Memory Dump Source

Source File: 00000000.00000002.1664843641.000000000123C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0123C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123c000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
Instruction ID: 6d7b50c0a0dd63989258ef3a55fde76ac073e94054a56cbbf0cae567be9bfa4c
Opcode Fuzzy Hash: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
Instruction Fuzzy Hash: D0620D70A24258DBEB24CFA4C841BDEB771EF98300F1091A9D20DEB390E7759E85CB59

Function 00289604 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00225045: _fseek.LIBCMT ref: 0022505D

Part of subcall function 002897DD: _wcscmp.LIBCMT ref: 002898CD
Part of subcall function 002897DD: _wcscmp.LIBCMT ref: 002898E0

_free.LIBCMT ref: 0028974B
_free.LIBCMT ref: 00289752
_free.LIBCMT ref: 002897BD

Part of subcall function 00242ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00249BA4), ref: 00242EE9
Part of subcall function 00242ED5: GetLastError.KERNEL32(00000000,?,00249BA4), ref: 00242EFB

_free.LIBCMT ref: 002897C5

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: b9ba3a950dd1a7030697058870f3ba09b94392d032a6107ab809e5f29304b5ac
Instruction ID: 81b57c89af8e41abbd34f89a615a3e1889d019efa1606d825c2b2d87d22b0888
Opcode Fuzzy Hash: b9ba3a950dd1a7030697058870f3ba09b94392d032a6107ab809e5f29304b5ac
Instruction Fuzzy Hash: C55172F1D14229AFDF249F64DC81AAEBBB9EF48300F14449EF109A3281DB715A90CF58

Function 0024487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00244910
__flush.LIBCMT ref: 00244930
__write.LIBCMT ref: 00244963
__flsbuf.LIBCMT ref: 00244991

Part of subcall function 00248CA8: __getptd_noexit.LIBCMT ref: 00248CA8

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
Instruction ID: 30b3d86189abc54708850dff2615885b4dea0adfe9fa7a3e6ebb4b8ef4214dda
Opcode Fuzzy Hash: c192cc0e54a8f9db57de2592849b4d8a529bf1476805975b929b304db04efb62
Instruction Fuzzy Hash: F6412631A347469BDB1CEEA9C880B6F7BA6AF80360B24863DE805D7640D770DD609B40

Function 00224DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00224E1A

Strings

AU3!P/+, xrefs: 00224E14
EA06, xrefs: 0025DC25

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/+$EA06
API String ID: 4104443479-925092189
Opcode ID: 420288d0830c7cb0460010fda3841fc3964ac807c0a97c26a86eeb2d171c62fa
Instruction ID: 60add191b477b129aed0f16c68ab3c77d35c1f2e74b87180a047123e294f20a3
Opcode Fuzzy Hash: 420288d0830c7cb0460010fda3841fc3964ac807c0a97c26a86eeb2d171c62fa
Instruction Fuzzy Hash: 3E419F21A341747BEF21BFE4EC517BE7BA5AB45300F594065EC429B182C5709D648BE1

Function 002273E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0025ED92
GetOpenFileNameW.COMDLG32(?), ref: 0025EDDC

Part of subcall function 002248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002248A1,?,?,002237C0,?), ref: 002248CE

Part of subcall function 00240911: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00240930

Strings

X, xrefs: 0025EDAA

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 4cafe4187041cb2d2b2a771a1a641d6f9e550c3935c1b7a2e0f791c684449f41
Instruction ID: f014be139a5789b2a6f7d7b2f8d58c467926a350c2e3eacd7c74d4fded461507
Opcode Fuzzy Hash: 4cafe4187041cb2d2b2a771a1a641d6f9e550c3935c1b7a2e0f791c684449f41
Instruction Fuzzy Hash: ED21D431A24298ABCB059FD4D845BEE7BF99F48704F00405AE808AB242DFF459AD8F91

Function 00288E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00288E55
__fread_nolock.LIBCMT ref: 00288E6A

Strings

EA06, xrefs: 00288E9C

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 967913f84d7ac50cb435a4e5ec3b895a22811799f5450865f6082a1dc255a2e2
Instruction ID: 22e60b8447268ec91f484db2826ac983b138233e72b55a386eb4e3e372b76cb2
Opcode Fuzzy Hash: 967913f84d7ac50cb435a4e5ec3b895a22811799f5450865f6082a1dc255a2e2
Instruction Fuzzy Hash: 4E01F9718142187EDB28DAA8C856EEEBBF89F01701F00459AF592D2181E9B4A6188B60

Function 0028998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 002899A1
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 002899B8

Strings

aut, xrefs: 002899B2

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: df95ec6805b0298bc4b066e2c5c3a54afb70f9855e5f5962868cd7437f0a5298
Instruction ID: 033efb13e7c00bd356facf277d2eead42cb7e9d90b6bc28b7f5d91764516a15b
Opcode Fuzzy Hash: df95ec6805b0298bc4b066e2c5c3a54afb70f9855e5f5962868cd7437f0a5298
Instruction Fuzzy Hash: 8BD05E7954030DABDB909BE0EC0EFDA773CE705701F0002B1BE94D11A1EEB499A88B91

Function 0029CBF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a397ab24161bce077038ab25e8a7933650fdbfa23d6a76cc89b9d2e06b33bb
Instruction ID: 6389a5ce966964609c183aa11db290cd7c47c55e8920c34dfea1da3ef7e6e6d7
Opcode Fuzzy Hash: 33a397ab24161bce077038ab25e8a7933650fdbfa23d6a76cc89b9d2e06b33bb
Instruction Fuzzy Hash: 21F15970A183019FCB14DF28C485A6ABBE5FF88314F14892EF89A9B351D771E955CF82

Function 002243DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00224401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 002244A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 002244C3

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: fcec74afdf3548eb0db894036a3a097347c35f6c6b6cde9a57d3736b81da9411
Instruction ID: 44f61de004891632234e2e5c638519b5354278ff2f94c6e3808b4570db0e093d
Opcode Fuzzy Hash: fcec74afdf3548eb0db894036a3a097347c35f6c6b6cde9a57d3736b81da9411
Instruction Fuzzy Hash: 6931C570514761DFD720EF64E88479BBBF4FB48308F00092EFA9A87251D7706954CB52

Function 0024588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 002458A3

Part of subcall function 0024A2EB: __NMSG_WRITE.LIBCMT ref: 0024A312
Part of subcall function 0024A2EB: __NMSG_WRITE.LIBCMT ref: 0024A31C

__NMSG_WRITE.LIBCMT ref: 002458AA

Part of subcall function 0024A348: GetModuleFileNameW.KERNEL32(00000000,002E33BA,00000104,?,00000001,00000000), ref: 0024A3DA
Part of subcall function 0024A348: ___crtMessageBoxW.LIBCMT ref: 0024A488

Part of subcall function 0024321F: ___crtCorExitProcess.LIBCMT ref: 00243225
Part of subcall function 0024321F: ExitProcess.KERNEL32 ref: 0024322E

Part of subcall function 00248CA8: __getptd_noexit.LIBCMT ref: 00248CA8

RtlAllocateHeap.NTDLL(011C0000,00000000,00000001,00000000,?,?,?,00240F53,?), ref: 002458CF

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 14b0819a23cf7924c647cc3ebf5163ef7e5e24e5dbf52cd00d9c8a867585d6ec
Instruction ID: 5e4cb97ffda0e1bdb5e78fca4449a2dc9b159d32b6e4c1471596e8e45c28c93a
Opcode Fuzzy Hash: 14b0819a23cf7924c647cc3ebf5163ef7e5e24e5dbf52cd00d9c8a867585d6ec
Instruction Fuzzy Hash: A001F5312B1B229BE61D7B74EC86B2E7348DF82761B500026F941AB183DFB09DA04E61

Function 0028994B Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,002895F1,?,?,?,?,?,00000004), ref: 00289964
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,002895F1,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0028997A
CloseHandle.KERNEL32(00000000,?,002895F1,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00289981

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: e198912be961b5a694c05a97a6cfd5c3a740e4062b84c2335a452b6bdcaf4466
Instruction ID: a474303d591b9e03eb08374168f43fdd8166128231474d15262739c02c75a7f3
Opcode Fuzzy Hash: e198912be961b5a694c05a97a6cfd5c3a740e4062b84c2335a452b6bdcaf4466
Instruction Fuzzy Hash: D9E08632241214BBDB312F94FC0DFDA7B18AB06760F144221FB54790E08BB519219798

Function 00288DB6 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00288DC4

Part of subcall function 00242ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00249BA4), ref: 00242EE9
Part of subcall function 00242ED5: GetLastError.KERNEL32(00000000,?,00249BA4), ref: 00242EFB

_free.LIBCMT ref: 00288DD5
_free.LIBCMT ref: 00288DE7

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 33ae1c996f9c9f7cc5f494d2acb49351bd07ed813e84366d3f1e78f850c3488c
Instruction ID: 07358b74efaf268e6733b54c17bee86e3cd8b6527460bacf036bbb5b8e4bf8e1
Opcode Fuzzy Hash: 33ae1c996f9c9f7cc5f494d2acb49351bd07ed813e84366d3f1e78f850c3488c
Instruction Fuzzy Hash: 20E05BA1732703C3DA28797D6D40E9313DC9F583A1794081DF509D75C2DE24F8A58634

Function 0022AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0025FF5A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 1dcc99fd41648b6d5bb604b35eb89bd8a8261be29f241fd7c476e767c4b190f5
Instruction ID: 7f3ae6c747c139c63344e1d0c50f98d7350611474b5ae148d4b1361fb3927778
Opcode Fuzzy Hash: 1dcc99fd41648b6d5bb604b35eb89bd8a8261be29f241fd7c476e767c4b190f5
Instruction Fuzzy Hash: DE226A70528311EFCB24DF54D494B2AB7E1BF84304F15896DE88A8B661DB71ECA5CF82

Function 0022492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00224992

Part of subcall function 002434EC: __lock.LIBCMT ref: 002434F2
Part of subcall function 002434EC: DecodePointer.KERNEL32(00000001,?,002249A7,00277F9C), ref: 002434FE
Part of subcall function 002434EC: EncodePointer.KERNEL32(?,?,002249A7,00277F9C), ref: 00243509

Part of subcall function 00224A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00224A73
Part of subcall function 00224A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00224A88

Part of subcall function 00223B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00223B7A
Part of subcall function 00223B4C: IsDebuggerPresent.KERNEL32 ref: 00223B8C
Part of subcall function 00223B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,002E52F8,002E52E0,?,?), ref: 00223BFD
Part of subcall function 00223B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00223C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002249D2

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: ae118538d84c27635f200de598b88dde90ec100949ed7ad37aa2c6ec4df622fd
Instruction ID: 96d4554bf56ad34f4706b8696f54515062486205bf86cf34a5df60fa89372ed0
Opcode Fuzzy Hash: ae118538d84c27635f200de598b88dde90ec100949ed7ad37aa2c6ec4df622fd
Instruction Fuzzy Hash: 36119071824361ABC310EF68FC8990AFBE8EB94750F10451EF5458B2B1DBB09554CF92

Function 00240F36 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0024588C: __FF_MSGBANNER.LIBCMT ref: 002458A3
Part of subcall function 0024588C: __NMSG_WRITE.LIBCMT ref: 002458AA
Part of subcall function 0024588C: RtlAllocateHeap.NTDLL(011C0000,00000000,00000001,00000000,?,?,?,00240F53,?), ref: 002458CF

std::exception::exception.LIBCMT ref: 00240F6C
__CxxThrowException@8.LIBCMT ref: 00240F81

Part of subcall function 0024871B: RaiseException.KERNEL32(?,?,?,002D9E78,00000000,?,?,?,?,00240F86,?,002D9E78,?,00000001), ref: 00248770

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 2a471dbc7b8d74f9d24f2d645bd2af46d7093dafecd2ed1fe1b4b1c43d6da3ac
Instruction ID: 239f8dcf3857e4cac982a76987c246327cc7ea26149f985e7ecb2299ca5cbdde
Opcode Fuzzy Hash: 2a471dbc7b8d74f9d24f2d645bd2af46d7093dafecd2ed1fe1b4b1c43d6da3ac
Instruction Fuzzy Hash: 60F0A93153431A66C728BE98EC519DE7B9C9F01351F100476FA04A6692EFB19AB889D1

Function 0024576D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0024579C
__lock_file.LIBCMT ref: 002457BD

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 3b7b4adaca8554b491d8382f6eed9a4fad0cf67774155d016b262d0d27d3c891
Instruction ID: 0a4e59159ffa860e5f3101e6fe172025f093ac5ab1edad2688ec329658c9a3d0
Opcode Fuzzy Hash: 3b7b4adaca8554b491d8382f6eed9a4fad0cf67774155d016b262d0d27d3c891
Instruction Fuzzy Hash: 8101A731831A19EBCF19AF69CC0199FBB72BF80360F544125F8645A152D7758A31DF91

Function 00245516 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00248CA8: __getptd_noexit.LIBCMT ref: 00248CA8

__lock_file.LIBCMT ref: 0024555B

Part of subcall function 00246D8E: __lock.LIBCMT ref: 00246DB1

__fclose_nolock.LIBCMT ref: 00245566

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: c7bd368cc5057796d0d07df88a2da9c5e2557228249c077a667ce9794ce4338c
Instruction ID: f476f411a4fec6a771accc629c201624d5ad8e63b271c5aafb6767e0f3e04285
Opcode Fuzzy Hash: c7bd368cc5057796d0d07df88a2da9c5e2557228249c077a667ce9794ce4338c
Instruction Fuzzy Hash: 9CF0B431931A259BD7187F75880677E67A26F42331F558209F4A4AB1C2CBBC4921AF52

Function 0123DB0D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0123E33D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0123E361
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0123E383

Memory Dump Source

Source File: 00000000.00000002.1664843641.000000000123C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0123C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123c000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction ID: 49c5803b4b16bfef243c255d13a125dfe145e22aa75b08d23d2e6bd020ffd0c9
Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction Fuzzy Hash: 8612DE20E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A

Function 0022766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0022774A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b8eb306d87080dac426f18344c6ec18a743f8c07957f396794896611c3497aee
Instruction ID: ce82d74018d3389633d559fe0c6f38fd4f88e2335507cc9434594a6cb724bdbc
Opcode Fuzzy Hash: b8eb306d87080dac426f18344c6ec18a743f8c07957f396794896611c3497aee
Instruction Fuzzy Hash: DE31C57522CA13EFC7289F59E090931F7A4FF09320B15C56DE9898B765E770D8A1CB84

Function 00240D88 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00240E37

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: f6af1aa4d99e59e42c10cf57036b4e811e77b3ad7b5722d2b4adc84b0d79ef9b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B231D574A10106DBC718DF58C4C4969FBA6FF89300B688AA5E509CB256DB71EDE1CB80

Function 00260005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00260010

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ac5afb155a60732411fea2c6b414f29e207351f81d048bad7bcf5aa202625774
Instruction ID: 2f4738e344774782ecca5f3fd1de8c7c3b2cead94450aad31fa739d24a83f64d
Opcode Fuzzy Hash: ac5afb155a60732411fea2c6b414f29e207351f81d048bad7bcf5aa202625774
Instruction Fuzzy Hash: BC4149745283519FDB24CF54C484B1ABBE0BF85318F0988ACE9894B762C732ECA5CF52

Function 00223F84 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0022400E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b87674f85fb40da641aa7b727b9a892742fbd22b6c51f62857705b6a85e1599d
Instruction ID: 610ca5d04cf5d3c02c6ff0f5709b3b82dac4d278dd4790b85522322055915a77
Opcode Fuzzy Hash: b87674f85fb40da641aa7b727b9a892742fbd22b6c51f62857705b6a85e1599d
Instruction Fuzzy Hash: 5C119D71624702AFD728DF55E551D22B7F5EB88320B15C83EE94ACBBA1DB70E890CB00

Function 00224F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00224D13: FreeLibrary.KERNEL32(00000000,?), ref: 00224D4D

Part of subcall function 002453CB: __wfsopen.LIBCMT ref: 002453D6

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00224F6F

Part of subcall function 00224CC8: FreeLibrary.KERNEL32(00000000), ref: 00224D02

Part of subcall function 00224DD0: _memmove.LIBCMT ref: 00224E1A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: c9102d5a6a8215355721b840427b6a986fca28bc276d9c815ae0ec0c49e72905
Instruction ID: e3aaeb708286aa02364e9aa0644db9b8c9a0bd0a80f0941248ff1bfca7ee40c0
Opcode Fuzzy Hash: c9102d5a6a8215355721b840427b6a986fca28bc276d9c815ae0ec0c49e72905
Instruction Fuzzy Hash: 79112B31630325BBCF20BFB4ED06B6D77A59F44701F10882AF841961D1DEB55A249F50

Function 002600DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 002600EA

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 514b8526adf46c4b1547adeca3bd27b108345b122a7d5f42eb09f7e8a92cae50
Instruction ID: 4d2e403ebec482f3fda36e3b2c3615b6fd9c8789414abd1fc4bc9606b4b1415b
Opcode Fuzzy Hash: 514b8526adf46c4b1547adeca3bd27b108345b122a7d5f42eb09f7e8a92cae50
Instruction Fuzzy Hash: 7E2124705283119FCB14DF94C484B1ABBE0BF88314F058968E99957B21DB31E869CF92

Function 002278AD Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002278E9

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 81852b0ab0596b33c5117d4b28862d9aaa8b82c5ff613f6dfa73d39c53cf7666
Instruction ID: 780546c0fd09eef74aa3c45069035229da3d82af499cd6e0b367279a229339a3
Opcode Fuzzy Hash: 81852b0ab0596b33c5117d4b28862d9aaa8b82c5ff613f6dfa73d39c53cf7666
Instruction Fuzzy Hash: 6111A97222D2267BC714AFACE881E6AB399EF45320714412AFD19C72D4DF719C708B91

Function 002449D3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00244A16

Part of subcall function 00248CA8: __getptd_noexit.LIBCMT ref: 00248CA8

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 32325bd814b560d1a7f0f5940e8f757cfd82fbb899de47962d47115bf06e5515
Instruction ID: 02ff344fec43159214618d09703d695f8e6aeee92c9cbcef26d81790dd9be413
Opcode Fuzzy Hash: 32325bd814b560d1a7f0f5940e8f757cfd82fbb899de47962d47115bf06e5515
Instruction Fuzzy Hash: 98F0C231970215EBDF19BF74CC0679F36A1AF01325F048515F424AA191DBB88970DF51

Function 00224FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00224FDE

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9131347929c07f3b8d66c4d03ded82701a10475003a989cf86205af92b9e6ac6
Instruction ID: 7caa75db8d03c712dbe7c2c837aca38f130de53290dd5ea160a9ff49bdb54719
Opcode Fuzzy Hash: 9131347929c07f3b8d66c4d03ded82701a10475003a989cf86205af92b9e6ac6
Instruction Fuzzy Hash: 97F03071525722DFC734AFA4F594812BBE1AF443253108A3EE5D682A10C7719860DF40

Function 00240911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00240930

Part of subcall function 00227D2C: _memmove.LIBCMT ref: 00227D66

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 78cef625dd818b26a02f3e3907cc0a216b00e6df8a1b4528f7678b4a249358f8
Instruction ID: 6da090b816172819bf64625ee334384be71e19f27f08d448987ca5c5498d51c6
Opcode Fuzzy Hash: 78cef625dd818b26a02f3e3907cc0a216b00e6df8a1b4528f7678b4a249358f8
Instruction Fuzzy Hash: A6E0CD3690512867C721D698AC05FFA77EDDFC9791F0401B5FC4CD7209DDB45C918A90

Function 00288F48 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00288F6A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 87e92921201f7f350e3b6a5d32947fae34ea2a0dab1f5900b9b8b54ddfacd81a
Instruction ID: 308115f3d69000959c0098a17c05d093d041e1abc45b0b4fd494eab1d67f5a5a
Opcode Fuzzy Hash: 87e92921201f7f350e3b6a5d32947fae34ea2a0dab1f5900b9b8b54ddfacd81a
Instruction Fuzzy Hash: B4E092B5214B009BDB389E24D8017A373E1AB15304F00081CF29AC3642EB63BC51CB59

Function 002453CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 002453D6

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 2196766ad6f3cb12e0e1ff671d47a766e99e8ee33ca0be8ffa3b0953e7179d16
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: C5B0927644020C77CE012E82EC02A493F599B407A4F408060FB0C185A2A6B3A6709A89

Function 0123EB0C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0123EB21

Memory Dump Source

Source File: 00000000.00000002.1664843641.000000000123C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0123C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123c000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: f1aae7e66977cddc8d009b261c0c43b31b53ed2ac473700ba0aa9623c8695a51
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: AAE09A7494010DAFDB00EFA4D54969E7BB4EF04301F1005A1FD0596681DA309A548A62

Function 0123EB10 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0123EB21

Memory Dump Source

Source File: 00000000.00000002.1664843641.000000000123C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0123C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123c000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 9143643531def7124edba987e2fa8712122fb77f042c47ec7cee887c96ad6387
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 76E0BF7494010D9FDB00EFA4D54969E7BB4EF04301F100161FD0192281D63099508A72

Non-executed Functions

Function 002ACB26 Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 002ACBA1
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002ACBFF
GetWindowLongW.USER32(?,000000F0), ref: 002ACC40
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002ACC6A
SendMessageW.USER32 ref: 002ACC93
_wcsncpy.LIBCMT ref: 002ACCFF
GetKeyState.USER32(00000011), ref: 002ACD20
GetKeyState.USER32(00000009), ref: 002ACD2D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002ACD43
GetKeyState.USER32(00000010), ref: 002ACD4D
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002ACD76
SendMessageW.USER32 ref: 002ACD9D
SendMessageW.USER32(?,00001030,?,002AB37C), ref: 002ACEA1
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 002ACEB7
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002ACECA
SetCapture.USER32(?), ref: 002ACED3
ClientToScreen.USER32(?,?), ref: 002ACF38
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002ACF45
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002ACF5F
ReleaseCapture.USER32 ref: 002ACF6A
GetCursorPos.USER32(?), ref: 002ACFA4
ScreenToClient.USER32(?,?), ref: 002ACFB1
SendMessageW.USER32(?,00001012,00000000,?), ref: 002AD00D
SendMessageW.USER32 ref: 002AD03B
SendMessageW.USER32(?,00001111,00000000,?), ref: 002AD078
SendMessageW.USER32 ref: 002AD0A7
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002AD0C8
SendMessageW.USER32(?,0000110B,00000009,?), ref: 002AD0D7
GetCursorPos.USER32(?), ref: 002AD0F7
ScreenToClient.USER32(?,?), ref: 002AD104
GetParent.USER32(?), ref: 002AD124
SendMessageW.USER32(?,00001012,00000000,?), ref: 002AD18D
SendMessageW.USER32 ref: 002AD1BE
ClientToScreen.USER32(?,?), ref: 002AD21C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002AD24C
SendMessageW.USER32(?,00001111,00000000,?), ref: 002AD276
SendMessageW.USER32 ref: 002AD299
ClientToScreen.USER32(?,?), ref: 002AD2EB
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002AD31F

Part of subcall function 002225DB: GetWindowLongW.USER32(?,000000EB), ref: 002225EC

GetWindowLongW.USER32(?,000000F0), ref: 002AD3BB

Strings

@GUI_DRAGID, xrefs: 002ACF06
pb., xrefs: 002ACF19
F, xrefs: 002AD29F

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pb.
API String ID: 3977979337-3736991238
Opcode ID: 95dafaff62617d664528b37c579c6e7dc8ecd0028498bc6593d555106f20d61e
Instruction ID: 7a1e6b6896000eb74e9f7400dceff8cc730cbbc2cc232a05c30191291deccb46
Opcode Fuzzy Hash: 95dafaff62617d664528b37c579c6e7dc8ecd0028498bc6593d555106f20d61e
Instruction Fuzzy Hash: 9942C030224342EFDB24CF64D888AAABBE5FF4A714F240919F555972B1CB72D864CF91

Function 002370FE Relevance: 54.0, APIs: 19, Strings: 9, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00237323
_memset.LIBCMT ref: 00237699
_memmove.LIBCMT ref: 0023780C

Strings

Q\E, xrefs: 0023812B
Oa#, xrefs: 00272721
[:>:]], xrefs: 002375F2
[:<:]], xrefs: 002375D9
\b(?<=\w), xrefs: 00273AC9
]-, xrefs: 00271D78
P\-, xrefs: 00271E0E
\b(?=\w), xrefs: 00273ABF
DEFINE, xrefs: 00272459

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]-$DEFINE$Oa#$P\-$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-814072518
Opcode ID: d8a528f4df9ba3a4d37a1fe93f510419d72e3636d0925b2ac58829ec5956d218
Instruction ID: b16bf41f71e5ac6d6f69851a77a54ae65d0cd13b32e096d00875e02294e596fe
Opcode Fuzzy Hash: d8a528f4df9ba3a4d37a1fe93f510419d72e3636d0925b2ac58829ec5956d218
Instruction Fuzzy Hash: BB93A471A20216DFDF24CF58C881BADB7B1FF48710F25816AE949EB281E7709E91DB40

Function 00224A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00224A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0025D9BE
IsIconic.USER32(?), ref: 0025D9C7
ShowWindow.USER32(?,00000009), ref: 0025D9D4
SetForegroundWindow.USER32(?), ref: 0025D9DE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0025D9F4
GetCurrentThreadId.KERNEL32 ref: 0025D9FB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0025DA07
AttachThreadInput.USER32(?,00000000,00000001), ref: 0025DA18
AttachThreadInput.USER32(?,00000000,00000001), ref: 0025DA20
AttachThreadInput.USER32(00000000,?,00000001), ref: 0025DA28
SetForegroundWindow.USER32(?), ref: 0025DA2B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025DA40
keybd_event.USER32(00000012,00000000), ref: 0025DA4B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025DA55
keybd_event.USER32(00000012,00000000), ref: 0025DA5A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025DA63
keybd_event.USER32(00000012,00000000), ref: 0025DA68
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025DA72
keybd_event.USER32(00000012,00000000), ref: 0025DA77
SetForegroundWindow.USER32(?), ref: 0025DA7A
AttachThreadInput.USER32(?,?,00000000), ref: 0025DAA1

Strings

Shell_TrayWnd, xrefs: 0025D9B9

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1821d478787d3739b3d23324c906b3e30f9de0b45d3c527e87f22fe1b48357af
Instruction ID: 6990e813d893cddc4e8fb70e22cf0b6978e2cf1cf20b1c1583442f6a5a31cf4e
Opcode Fuzzy Hash: 1821d478787d3739b3d23324c906b3e30f9de0b45d3c527e87f22fe1b48357af
Instruction Fuzzy Hash: CA317271A90318BBEB306FA1AD49F7F7F6CEB45B51F104025FE04EA1D0DAB45D10AAA4

Function 00278638 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00278AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00278AED
Part of subcall function 00278AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00278B1A
Part of subcall function 00278AA3: GetLastError.KERNEL32 ref: 00278B27

_memset.LIBCMT ref: 0027867B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002786CD
CloseHandle.KERNEL32(?), ref: 002786DE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002786F5
GetProcessWindowStation.USER32 ref: 0027870E
SetProcessWindowStation.USER32(00000000), ref: 00278718
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00278732

Part of subcall function 002784F3: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00278631), ref: 00278508
Part of subcall function 002784F3: CloseHandle.KERNEL32(?,?,00278631), ref: 0027851A

Strings

default, xrefs: 0027872D
, xrefs: 0027868A
winsta0, xrefs: 002786F0

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: c1a1f95d796b86073957639bbb1e3c227b5c0bfe4af6b588cbf8e741f6ea7a32
Instruction ID: 3d76329dd15cfda82fdd40e75b41daae2853bc2c8da7e5dc5c5f013d8437d69f
Opcode Fuzzy Hash: c1a1f95d796b86073957639bbb1e3c227b5c0bfe4af6b588cbf8e741f6ea7a32
Instruction Fuzzy Hash: FE818A7196020EEFDF119FA4DD4DAEEBBB8EF05304F048169F918A6161DB358E24DB21

Function 0029407C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(002AF910), ref: 002940A6
IsClipboardFormatAvailable.USER32(0000000D), ref: 002940B4
GetClipboardData.USER32(0000000D), ref: 002940BC
CloseClipboard.USER32 ref: 002940C8
GlobalLock.KERNEL32(00000000), ref: 002940E4
CloseClipboard.USER32 ref: 002940EE
GlobalUnlock.KERNEL32(00000000), ref: 00294103
IsClipboardFormatAvailable.USER32(00000001), ref: 00294110
GetClipboardData.USER32(00000001), ref: 00294118
GlobalLock.KERNEL32(00000000), ref: 00294125
GlobalUnlock.KERNEL32(00000000), ref: 00294159
CloseClipboard.USER32 ref: 00294269

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 18de4b63d28050bf1ba6f4fdd6623da1c42f2c0c92c44f424625c89e9b3aea4a
Instruction ID: 0358b3245c9bc08ee68dfe3b1b2ef99e63745c27ba835c3b19f38db3fafbab81
Opcode Fuzzy Hash: 18de4b63d28050bf1ba6f4fdd6623da1c42f2c0c92c44f424625c89e9b3aea4a
Instruction Fuzzy Hash: B1519235224302AFDB10FFA0ED89F6E77A8AF85B01F004529F956D21A1DF74D9168F62

Function 0028C7E8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0028C819
FindClose.KERNEL32(00000000), ref: 0028C86D
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0028C892
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0028C8A9
FileTimeToSystemTime.KERNEL32(?,?), ref: 0028C8D0
__swprintf.LIBCMT ref: 0028C91C
__swprintf.LIBCMT ref: 0028C95F

Part of subcall function 00227F41: _memmove.LIBCMT ref: 00227F82

__swprintf.LIBCMT ref: 0028C9B3

Part of subcall function 00243818: __woutput_l.LIBCMT ref: 00243871

__swprintf.LIBCMT ref: 0028CA01

Part of subcall function 00243818: __flsbuf.LIBCMT ref: 00243893
Part of subcall function 00243818: __flsbuf.LIBCMT ref: 002438AB

__swprintf.LIBCMT ref: 0028CA50
__swprintf.LIBCMT ref: 0028CA9F
__swprintf.LIBCMT ref: 0028CAEE

Strings

%02d, xrefs: 0028C9A7, 0028C9B1, 0028C9FF, 0028CA4E, 0028CA9D, 0028CAEC
%4d%02d%02d%02d%02d%02d, xrefs: 0028C916
%4d, xrefs: 0028C959

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 71d359496a196ce4a2db663a4e3ffe74edd0e25005327a298d9eb86b7b133879
Instruction ID: aaeff5ac37e19b5951f395bf06777ec6fba1582dcd47b6c221732038fb74809b
Opcode Fuzzy Hash: 71d359496a196ce4a2db663a4e3ffe74edd0e25005327a298d9eb86b7b133879
Instruction Fuzzy Hash: 75A13CB1428314BBC744FBA4D986DAFB7ECFF84704F404929F58582191EB34DA58CB62

Function 0028F021 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0028F042
_wcscmp.LIBCMT ref: 0028F057
_wcscmp.LIBCMT ref: 0028F06E
GetFileAttributesW.KERNEL32(?), ref: 0028F080
SetFileAttributesW.KERNEL32(?,?), ref: 0028F09A
FindNextFileW.KERNEL32(00000000,?), ref: 0028F0B2
FindClose.KERNEL32(00000000), ref: 0028F0BD
FindFirstFileW.KERNEL32(*.*,?), ref: 0028F0D9
_wcscmp.LIBCMT ref: 0028F100
_wcscmp.LIBCMT ref: 0028F117
SetCurrentDirectoryW.KERNEL32(?), ref: 0028F129
SetCurrentDirectoryW.KERNEL32(002D8920), ref: 0028F147
FindNextFileW.KERNEL32(00000000,00000010), ref: 0028F151
FindClose.KERNEL32(00000000), ref: 0028F15E
FindClose.KERNEL32(00000000), ref: 0028F170

Strings

*.*, xrefs: 0028F0D4

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: cb6cea0e813c2a152f7855ffba5d8579fbe96d544893a44e709a1b85236045ac
Instruction ID: 8fd64b235bcb8b3b947bd57d3237c0a7c484b055c9d9c805eabe3c8118506411
Opcode Fuzzy Hash: cb6cea0e813c2a152f7855ffba5d8579fbe96d544893a44e709a1b85236045ac
Instruction Fuzzy Hash: 5F31C03651120AABCB50EFB0ED4DBEE73AC9F0A320F104175E804E21E1EB34DE658B64

Function 002A08E2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A09DE
RegCreateKeyExW.ADVAPI32(?,?,00000000,002AF910,00000000,?,00000000,?,?), ref: 002A0A4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002A0A94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 002A0B1D
RegCloseKey.ADVAPI32(?), ref: 002A0E3D
RegCloseKey.ADVAPI32(00000000), ref: 002A0E4A

Strings

REG_MULTI_SZ, xrefs: 002A0C05
REG_DWORD, xrefs: 002A0D0E
REG_QWORD, xrefs: 002A0D8B
REG_SZ, xrefs: 002A0B5B
REG_BINARY, xrefs: 002A0DD8
REG_EXPAND_SZ, xrefs: 002A0ABA

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 8944adfbed5000d777257705bf2a4647f1a67f014fb8e4d51ad39137e9c1014f
Instruction ID: f086834438883f58005c0c7149d9737452c83dbd7e27d973e6c886474215710d
Opcode Fuzzy Hash: 8944adfbed5000d777257705bf2a4647f1a67f014fb8e4d51ad39137e9c1014f
Instruction Fuzzy Hash: 5A025B75620611AFDB14DF64D885E2AB7E5EF89320F04885DF8899B362CB31ED60CF81

Function 00236841 Relevance: 24.6, Strings: 19, Instructions: 889COMMON

Download Yara Rule

Strings

Oa#, xrefs: 002717BB, 00271862, 0027190A
UCP), xrefs: 00271463
UTF16), xrefs: 00271425
0D,, xrefs: 00236893
LF), xrefs: 002715FA
CRLF), xrefs: 00271617
BSR_ANYCRLF), xrefs: 00271674
LIMIT_RECURSION=, xrefs: 00271552
ANY), xrefs: 00271634
0F,, xrefs: 002368A7
ANYCRLF), xrefs: 00271651
CR), xrefs: 002715DD
BSR_UNICODE), xrefs: 0027168E
NO_START_OPT), xrefs: 002714A5
NO_AUTO_POSSESS), xrefs: 00271484
UTF), xrefs: 00271450
0E,, xrefs: 0023689D
LIMIT_MATCH=, xrefs: 002714C6
pG,, xrefs: 002368B1

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID: 0D,$0E,$0F,$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa#$UCP)$UTF)$UTF16)$pG,
API String ID: 0-1382947706
Opcode ID: d56f02d9770bd4023c24c36b0cfb8439381178fa52f610fc2d6f9b65a81d52f0
Instruction ID: ee319d9b4dbb30b9d298cb9eacfbdc044bd74a204b0d212c2548df8ef29c4855
Opcode Fuzzy Hash: d56f02d9770bd4023c24c36b0cfb8439381178fa52f610fc2d6f9b65a81d52f0
Instruction Fuzzy Hash: 0F7271B5E2021ADBDB14CF59C8547AEB7B9FF44710F14816AE809EB290EB709DA1CF50

Function 0028F17E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0028F19F
_wcscmp.LIBCMT ref: 0028F1B4
_wcscmp.LIBCMT ref: 0028F1CB

Part of subcall function 002843C6: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002843E1

FindNextFileW.KERNEL32(00000000,?), ref: 0028F1FA
FindClose.KERNEL32(00000000), ref: 0028F205
FindFirstFileW.KERNEL32(*.*,?), ref: 0028F221
_wcscmp.LIBCMT ref: 0028F248
_wcscmp.LIBCMT ref: 0028F25F
SetCurrentDirectoryW.KERNEL32(?), ref: 0028F271
SetCurrentDirectoryW.KERNEL32(002D8920), ref: 0028F28F
FindNextFileW.KERNEL32(00000000,00000010), ref: 0028F299
FindClose.KERNEL32(00000000), ref: 0028F2A6
FindClose.KERNEL32(00000000), ref: 0028F2B8

Strings

*.*, xrefs: 0028F21C

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: c46def5e543fb2878e6d44cf3bbceb650ed95d4b7bb3a9e09ba6a949687dddf3
Instruction ID: 0129d99352675cede6dbe135c4a2f766a318138f5e703476af2a31a38d47150a
Opcode Fuzzy Hash: c46def5e543fb2878e6d44cf3bbceb650ed95d4b7bb3a9e09ba6a949687dddf3
Instruction Fuzzy Hash: DD31F33A51221A6BDB50EFA4ED58BDE73AC9F06320F1041B1EC44A32E0DB30DE65CB64

Function 0028A279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0028A299
__swprintf.LIBCMT ref: 0028A2BB
CreateDirectoryW.KERNEL32(?,00000000), ref: 0028A2F8
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0028A31D
_memset.LIBCMT ref: 0028A33C
_wcsncpy.LIBCMT ref: 0028A378
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0028A3AD
CloseHandle.KERNEL32(00000000), ref: 0028A3B8
RemoveDirectoryW.KERNEL32(?), ref: 0028A3C1
CloseHandle.KERNEL32(00000000), ref: 0028A3CB

Strings

\, xrefs: 0028A2D1
\??\%s, xrefs: 0028A2B5
:, xrefs: 0028A2DC

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: f88163a67cee3da535cb7e54c55b64577a9a32cd44461980159bd9e6c1b1d3fb
Instruction ID: dcd4e827fb708099c592ce9adf94783ddfa9e5658eb0c29171b1dc5571454fbd
Opcode Fuzzy Hash: f88163a67cee3da535cb7e54c55b64577a9a32cd44461980159bd9e6c1b1d3fb
Instruction Fuzzy Hash: 8C31D47591010AABEB21EFA0DC49FEB73BCEF89700F1040B6F908D21A0EB7496548B24

Function 002781D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0027852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00278546
Part of subcall function 0027852A: GetLastError.KERNEL32(?,0027800A,?,?,?), ref: 00278550
Part of subcall function 0027852A: GetProcessHeap.KERNEL32(00000008,?,?,0027800A,?,?,?), ref: 0027855F
Part of subcall function 0027852A: HeapAlloc.KERNEL32(00000000,?,0027800A,?,?,?), ref: 00278566
Part of subcall function 0027852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0027857D

Part of subcall function 002785C7: GetProcessHeap.KERNEL32(00000008,00278020,00000000,00000000,?,00278020,?), ref: 002785D3
Part of subcall function 002785C7: HeapAlloc.KERNEL32(00000000,?,00278020,?), ref: 002785DA
Part of subcall function 002785C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00278020,?), ref: 002785EB

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00278238
_memset.LIBCMT ref: 0027824D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0027826C
GetLengthSid.ADVAPI32(?), ref: 0027827D
GetAce.ADVAPI32(?,00000000,?), ref: 002782BA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002782D6
GetLengthSid.ADVAPI32(?), ref: 002782F3
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00278302
HeapAlloc.KERNEL32(00000000), ref: 00278309
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0027832A
CopySid.ADVAPI32(00000000), ref: 00278331
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00278362
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00278388
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0027839C

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: b4f616f35e03a20d12fe569403d403531432f3b6d1cde69cde122fbebfe54790
Instruction ID: cdf05486b6c66ac471140a29db791694dcad0dd4d6dac939a322fee4b9bdafee
Opcode Fuzzy Hash: b4f616f35e03a20d12fe569403d403531432f3b6d1cde69cde122fbebfe54790
Instruction Fuzzy Hash: 8E61687195020AEFDF10CFA4DC48AEEBBB9FF05701F048169F919A6291DB359A25CB60

Function 002A0465 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029FE38,?,?), ref: 002A0EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A0537

Part of subcall function 00229997: __itow.LIBCMT ref: 002299C2
Part of subcall function 00229997: __swprintf.LIBCMT ref: 00229A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002A05D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002A066E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 002A08AD
RegCloseKey.ADVAPI32(00000000), ref: 002A08BA

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: c2c2e36fdd6b618eb0b3e368bd466100341ed0b63bcbef8dbe08aebf2457c906
Instruction ID: 41f6d37ec1d3bd750d1fec12b2e7061ba83fb75ad13a5f1162b0e17f45aa885c
Opcode Fuzzy Hash: c2c2e36fdd6b618eb0b3e368bd466100341ed0b63bcbef8dbe08aebf2457c906
Instruction Fuzzy Hash: 99E17B30624211AFCB14DF69D885E2ABBE4EF89714F04886DF44ACB262DA34ED54CF91

Function 00234140 Relevance: 16.9, APIs: 1, Strings: 8, Instructions: 1132COMMON

Download Yara Rule

Strings

Oa#, xrefs: 00234984, 002680A2
VUUU, xrefs: 002344ED
VUUU, xrefs: 002344DB
0D,, xrefs: 0023446C
0D,, xrefs: 00234392
VUUU, xrefs: 00234520
VUUU, xrefs: 00267A3B
ERCP, xrefs: 0023421F

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID: 0D,$0D,$ERCP$Oa#$VUUU$VUUU$VUUU$VUUU
API String ID: 0-2260198032
Opcode ID: 6547d38738e01a4bcf0760f92383ef7b660a6171d9f48967b505b9b4c854a248
Instruction ID: 64c9ad31db88190384362d074c00f708e7aa776244e885baa314027117af939f
Opcode Fuzzy Hash: 6547d38738e01a4bcf0760f92383ef7b660a6171d9f48967b505b9b4c854a248
Instruction Fuzzy Hash: B7A2A0B0E2421ACBDF24DF58C9807ADB7B1BB54314F2482EAD855A7280D770AEE5CF50

Function 0028003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00280062
GetAsyncKeyState.USER32(000000A0), ref: 002800E3
GetKeyState.USER32(000000A0), ref: 002800FE
GetAsyncKeyState.USER32(000000A1), ref: 00280118
GetKeyState.USER32(000000A1), ref: 0028012D
GetAsyncKeyState.USER32(00000011), ref: 00280145
GetKeyState.USER32(00000011), ref: 00280157
GetAsyncKeyState.USER32(00000012), ref: 0028016F
GetKeyState.USER32(00000012), ref: 00280181
GetAsyncKeyState.USER32(0000005B), ref: 00280199
GetKeyState.USER32(0000005B), ref: 002801AB

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fc9e14bd6ef350d6a061db313ab1f86286026ee0a77cc660ab2e5f499b8591c4
Instruction ID: 171cc19a81583c15c65ddab0259771729331decda45681b0d28e34fc56a39fd5
Opcode Fuzzy Hash: fc9e14bd6ef350d6a061db313ab1f86286026ee0a77cc660ab2e5f499b8591c4
Instruction Fuzzy Hash: C341DE289157CB5EFFB06E6088983B5BEA0AF12350F44405AD5C9465C2DB949DECC792

Function 0029427A Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 002942A1
EmptyClipboard.USER32 ref: 002942A7
GlobalAlloc.KERNEL32(00000002,?), ref: 002942BC
CloseClipboard.USER32 ref: 0029435B

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 49c90f4b3ea0d2d7629ede012a4c59fd4dfde0813841110a60bc574d5060b781
Instruction ID: ec6afd79cadbe84be3dd79aba88a227d486ac3d0dd3fc8717a71f18d1cc70812
Opcode Fuzzy Hash: 49c90f4b3ea0d2d7629ede012a4c59fd4dfde0813841110a60bc574d5060b781
Instruction Fuzzy Hash: E921A035620621AFDB10AFA0ED4DF6D7BA8EF05710F14802AF946DB2A1DB74AC11CF54

Function 00283833 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002248A1,?,?,002237C0,?), ref: 002248CE

Part of subcall function 00284AD8: GetFileAttributesW.KERNEL32(?,0028374F), ref: 00284AD9

FindFirstFileW.KERNEL32(?,?), ref: 002838E7
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0028398F
MoveFileW.KERNEL32(?,?), ref: 002839A2
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 002839BF
FindNextFileW.KERNEL32(00000000,00000010), ref: 002839E1
FindClose.KERNEL32(00000000,?,?,?,?), ref: 002839FD

Strings

\*.*, xrefs: 00283892, 0028389B, 002838B0

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: bee33ef104773f8bba8dda449f492c63724e2b7483e4abdda36405bf4176c784
Instruction ID: a671baa60b43ae5e1db5083f59ff4ddc3e8a0ee60f8234f8e35344582a3862f0
Opcode Fuzzy Hash: bee33ef104773f8bba8dda449f492c63724e2b7483e4abdda36405bf4176c784
Instruction Fuzzy Hash: 59518E35816129AACF15FBE0EE929EDB7B8AF14300F644169E44277191EF706F29CF60

Function 0028F47F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00227F41: _memmove.LIBCMT ref: 00227F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0028F4CC
Sleep.KERNEL32(0000000A), ref: 0028F4FC
_wcscmp.LIBCMT ref: 0028F510
_wcscmp.LIBCMT ref: 0028F52B
FindNextFileW.KERNEL32(?,?), ref: 0028F5C9
FindClose.KERNEL32(00000000), ref: 0028F5DF

Strings

*.*, xrefs: 0028F4B1

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: cb24221dc48b7f79d7bbf6d2370bf2d031318e34d63bc7cf9c34ea724f7e6c21
Instruction ID: ad42352dc7e71b0699d2949d04d9affc2cedce84bc633e761ad04e26d1de78fe
Opcode Fuzzy Hash: cb24221dc48b7f79d7bbf6d2370bf2d031318e34d63bc7cf9c34ea724f7e6c21
Instruction Fuzzy Hash: 5741C07582121AABCF50EFA0DD48AEEBBB4FF05310F544066E814A3291EB349E64CF90

Function 002358C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00235A05
_memmove.LIBCMT ref: 00235A55
_memmove.LIBCMT ref: 00235ABB

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7b0f1a676418fd9d26d2578f3848f21dd1ea6c555533c13b6ba8dd4dfe5ce7fb
Instruction ID: 4ea674480ae1e2269d3599ac3ad28586c8a7b65e56c9ad2a17a73bc2fe51bfd2
Opcode Fuzzy Hash: 7b0f1a676418fd9d26d2578f3848f21dd1ea6c555533c13b6ba8dd4dfe5ce7fb
Instruction Fuzzy Hash: 2912AEB0A20619EFDF14CFA5D981AEEB3F5FF48304F108569E40AA7251EB35AD25CB50

Function 00235680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00240F36: std::exception::exception.LIBCMT ref: 00240F6C
Part of subcall function 00240F36: __CxxThrowException@8.LIBCMT ref: 00240F81

_memmove.LIBCMT ref: 002705AE
_memmove.LIBCMT ref: 002706C3
_memmove.LIBCMT ref: 0027076A

Strings

yZ#, xrefs: 00270800, 0027077E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ#
API String ID: 1300846289-1179799137
Opcode ID: c91bf47b097f77d8e5dfccbfdc0c9885ab92d60c15508837b5f85edbf1b38ea0
Instruction ID: 791dc4be2b5b7935011bc454fb55b1d0fe19e57497e55cb60612e42d430086de
Opcode Fuzzy Hash: c91bf47b097f77d8e5dfccbfdc0c9885ab92d60c15508837b5f85edbf1b38ea0
Instruction Fuzzy Hash: 7902BEB0A20219DBDF08DF64D981AAEBBB5EF44300F55C069E80ADB255EB30DD65CF91

Function 00285264 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00278AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00278AED
Part of subcall function 00278AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00278B1A
Part of subcall function 00278AA3: GetLastError.KERNEL32 ref: 00278B27

ExitWindowsEx.USER32(?,00000000), ref: 002852A0

Strings

, xrefs: 0028528E
SeShutdownPrivilege, xrefs: 00285270
@, xrefs: 00285293

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 97ecd5cf7d5b1be1e1b8c080336af7aaa47a3d185dea20239f33f7b1945bb443
Instruction ID: 6ab2729da46f944d0bbeeac53f8154d84ae9c9a2e7337330673bd7d3d260408f
Opcode Fuzzy Hash: 97ecd5cf7d5b1be1e1b8c080336af7aaa47a3d185dea20239f33f7b1945bb443
Instruction Fuzzy Hash: BE014C386B26266BF7283A78AC4BBB67258EB06741F240122FC07D10D6DEA01C204790

Function 00233190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa#, xrefs: 00233482

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa#
API String ID: 674341424-1510357115
Opcode ID: 4f8df1ca03b6c1b88be16e0558e79c49e66fc64402504995839fd3d2a2ad45a9
Instruction ID: 998351eb48c3318a5e3e9335b0d85fff2616ed6c9abc66912769ce889e64ea3f
Opcode Fuzzy Hash: 4f8df1ca03b6c1b88be16e0558e79c49e66fc64402504995839fd3d2a2ad45a9
Instruction Fuzzy Hash: DB22ADB16283119FC724DF54D881B6BB7E4BF88304F50491DF89A97291DB70EA64CF92

Function 00296399 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002963F2
WSAGetLastError.WSOCK32(00000000), ref: 00296401
bind.WSOCK32(00000000,?,00000010), ref: 0029641D
listen.WSOCK32(00000000,00000005), ref: 0029642C
WSAGetLastError.WSOCK32(00000000), ref: 00296446
closesocket.WSOCK32(00000000,00000000), ref: 0029645A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 3ac51610d01970923ae418c364a4fab5e641ef569ad307c7dba2159c8ed51838
Instruction ID: 9f684464883d3d6432b64210cf26e42bc2e89a1480c9659d1c1b689a671315c7
Opcode Fuzzy Hash: 3ac51610d01970923ae418c364a4fab5e641ef569ad307c7dba2159c8ed51838
Instruction Fuzzy Hash: 7B21E130610211AFDF20EFA4DD4AB2EB7E9EF49720F108169F85AA7391CB74AC51CB51

Function 00221287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

DefDlgProcW.USER32(?,?,?,?,?), ref: 002219FA
GetSysColor.USER32(0000000F), ref: 00221A4E
SetBkColor.GDI32(?,00000000), ref: 00221A61

Part of subcall function 00221290: DefDlgProcW.USER32(?,00000020,?), ref: 002212D8

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 3dbbc6f0f23f780ef5b26a76bb6cdb165b7bec9ab82ef10e7b3a6607353a13b5
Instruction ID: d1d073db39b2d9c7e24cc135a6b41c96e5f094ef93c9bfbf426eb4ea814ff887
Opcode Fuzzy Hash: 3dbbc6f0f23f780ef5b26a76bb6cdb165b7bec9ab82ef10e7b3a6607353a13b5
Instruction Fuzzy Hash: A8A19B701315B6BFD739AEA87C49E7F355CDB6A346B240109F802D5191CEB68C30C6B5

Function 0029685D Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00297EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00297ECB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 002968B4
WSAGetLastError.WSOCK32(00000000), ref: 002968DD
bind.WSOCK32(00000000,?,00000010), ref: 00296916
WSAGetLastError.WSOCK32(00000000), ref: 00296923
closesocket.WSOCK32(00000000,00000000), ref: 00296937

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: f5da5e0fea1c0c27aa856308b40fd2f885291278a45691f9424edf976bc4150a
Instruction ID: 725bd130f3ec659e2e31049af5cad18a5a5d06f5e6b7bf4de44be15c85676deb
Opcode Fuzzy Hash: f5da5e0fea1c0c27aa856308b40fd2f885291278a45691f9424edf976bc4150a
Instruction Fuzzy Hash: 2541D975A20220AFEB10AFA4EC87F6E77E5DF08710F048158F95A9B3C2DA749D508B91

Function 002A53DF Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 002A542E
IsWindowEnabled.USER32 ref: 002A543C
GetForegroundWindow.USER32(?,?,00000001), ref: 002A5449
IsIconic.USER32 ref: 002A5457
IsZoomed.USER32 ref: 002A5465

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ce4ab9122ce56bb16dea1bd537443bf8403e8b9b9337e021f6f19ad0e6dd93b3
Instruction ID: 7cb194eff9e5edba65b4adb29561574df5f877a85ea134e18d64ac9c0bdfb3f9
Opcode Fuzzy Hash: ce4ab9122ce56bb16dea1bd537443bf8403e8b9b9337e021f6f19ad0e6dd93b3
Instruction Fuzzy Hash: CB11C831720A316FE7215F66EC48B2FB799FF4A722B044028F446D7251CF749C518A95

Function 0028C423 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0028C4BE
CoCreateInstance.OLE32(002B2D6C,00000000,00000001,002B2BDC,?), ref: 0028C4D6

Part of subcall function 00227F41: _memmove.LIBCMT ref: 00227F82

CoUninitialize.OLE32 ref: 0028C743

Strings

.lnk, xrefs: 0028C452, 0028C47A, 0028C484

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 6a4bd7e6085ff9a7d948bc40c76a841b356207eb730e463973877140661e5ca0
Instruction ID: 866b06940ac974860815ec12b01fcf9cd53adb09df4c58a3c9e11e9e1981edd7
Opcode Fuzzy Hash: 6a4bd7e6085ff9a7d948bc40c76a841b356207eb730e463973877140661e5ca0
Instruction Fuzzy Hash: 35A13B71118315AFD700EF94D892EABB7ECEF85304F00496CF15697192EB70EA59CB62

Function 0029C104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00261CB7,?), ref: 0029C112
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0029C124

Strings

GetSystemWow64DirectoryW, xrefs: 0029C11E
kernel32.dll, xrefs: 0029C10D

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 82da66ba92d9c6dac12c0efa9532cebac0c29c765ad9e05eec37bb0e45cb5f64
Instruction ID: 3f4fe2a80df9eb7209e4fce26b93f72ce80987c0546d127a3024c4a673105efe
Opcode Fuzzy Hash: 82da66ba92d9c6dac12c0efa9532cebac0c29c765ad9e05eec37bb0e45cb5f64
Instruction Fuzzy Hash: F4E0C278220723CFDF605F65D808A4276E8EF0A349B508439EC8DC2250EB78C890CB24

Function 0029EF21 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0029EF51
Process32FirstW.KERNEL32(00000000,?), ref: 0029EF5F

Part of subcall function 00227F41: _memmove.LIBCMT ref: 00227F82

Process32NextW.KERNEL32(00000000,?), ref: 0029F01F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0029F02E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 15f1fa955c589f0f9027fbf0305f5de80b1b2ccc5fe3b33ef6a5761d323bb0d5
Instruction ID: 566ac01e82fda0400a48c2fb93c1cc43861e91b0e87796de4d2d46e080cc91cb
Opcode Fuzzy Hash: 15f1fa955c589f0f9027fbf0305f5de80b1b2ccc5fe3b33ef6a5761d323bb0d5
Instruction Fuzzy Hash: 17516E71518321AFD710EF64EC86E6BB7E8FF88710F10482DF49597251EB70A914CB92

Function 0027E928 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0027E93A

Strings

|, xrefs: 0027E96A
(, xrefs: 0027E980

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 96ded2238f8f59ae738b8874cdb0de88cf7ba1c7bf3fb2d945fc4be9d59f0207
Instruction ID: 2c32103a52fcfcd9835b397100643214c90295feb685f6af9b486b75ae348bc6
Opcode Fuzzy Hash: 96ded2238f8f59ae738b8874cdb0de88cf7ba1c7bf3fb2d945fc4be9d59f0207
Instruction Fuzzy Hash: 26323675A10605DFCB28CF29C48196AB7F0FF48320B16C5AEE59ADB3A1E770E951CB50

Function 00292404 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00291920,00000000), ref: 002924F7
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0029252E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: fb7a957c78bac619ea6c7541943d07ca7950350ed6a68741e6eb35945586c23b
Instruction ID: f180b612b6eb584f68f891b73e39b5083bb8e1fbe2c48e978a227e10bb7517f2
Opcode Fuzzy Hash: fb7a957c78bac619ea6c7541943d07ca7950350ed6a68741e6eb35945586c23b
Instruction Fuzzy Hash: AD41087552030AFFEF24DE95DC85EBFB7BCEB40324F50406EF605A6141DAB09E689A60

Function 0028B3BF Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028B3CF
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0028B429
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0028B476

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e57e5376df2fbda3408507e8cb05cd3e7586b44ca3eaa197a8dca553beab259d
Instruction ID: 281cef032f83f7f326c98fa6d7e80b686af1870bf34ec51c0960f0440b16d830
Opcode Fuzzy Hash: e57e5376df2fbda3408507e8cb05cd3e7586b44ca3eaa197a8dca553beab259d
Instruction Fuzzy Hash: 75216035A10618EFCB00EFA5E885AADBBB8FF49310F1480A9E905AB351DB319955CF51

Function 00278AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00240F36: std::exception::exception.LIBCMT ref: 00240F6C
Part of subcall function 00240F36: __CxxThrowException@8.LIBCMT ref: 00240F81

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00278AED
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00278B1A
GetLastError.KERNEL32 ref: 00278B27

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 6b725ec89b5b46ff2a33ee47dcf84f3443eccf44e8800890c67e35fbd8c97078
Instruction ID: 6300a55148fec1a0a0576550954b45399b8efeffd0fccc56e9c8ca9d8419838e
Opcode Fuzzy Hash: 6b725ec89b5b46ff2a33ee47dcf84f3443eccf44e8800890c67e35fbd8c97078
Instruction Fuzzy Hash: A311BFB1524205AFD7289F64ECC9D2BB7BCFB44314B21C16EF44993641EF70AC50CA60

Function 00284A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00284A31
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00284A48
FreeSid.ADVAPI32(?), ref: 00284A58

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3353e599f8b4f716250c2ddff0943970c9d6ba13be2a1f59d324ba91470cd9f6
Instruction ID: 62dea7acc1294d3bf312f0d829d7b45509a05bc589f0d6eb8aa58489d83b0000
Opcode Fuzzy Hash: 3353e599f8b4f716250c2ddff0943970c9d6ba13be2a1f59d324ba91470cd9f6
Instruction Fuzzy Hash: B1F04975A5130DBFDF04DFF0DD89AAEBBBCEF08201F0044A9A901E2281E6746A048B50

Function 00288932 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00288944

Part of subcall function 0024537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00289017,00000000,?,?,?,?,002891C8,00000000,?), ref: 00245383
Part of subcall function 0024537A: __aulldiv.LIBCMT ref: 002453A3

Strings

0e., xrefs: 0028893B

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0e.
API String ID: 2893107130-527871663
Opcode ID: 13c8b8e086ba30228439d201f2a351f9f93b4a6b6601785d36cee9117c74ad41
Instruction ID: f2d7aa6b60b0a63dbc5cb3295ee34bbd32a92c617245a413679baf597dc9bea0
Opcode Fuzzy Hash: 13c8b8e086ba30228439d201f2a351f9f93b4a6b6601785d36cee9117c74ad41
Instruction Fuzzy Hash: D421E436635610CBC729CF25D885A62B3E1EBA5310F688E6CD1E5CF2C0CA34B905CB50

Function 0022E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0caa911734e7b1598e08152c1dc8cbcd7d2974d700819147a84a9aac9e974d24
Instruction ID: e832a9652d8945674af3a884525fbf87571598ec7c5e5b6e7920c0816d3c479e
Opcode Fuzzy Hash: 0caa911734e7b1598e08152c1dc8cbcd7d2974d700819147a84a9aac9e974d24
Instruction Fuzzy Hash: 5B22DF70920226EFDF24DF94E480ABEB7B0FF14300F158169E856AB341E774ADA5DB91

Function 0028C75D Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0028C787
FindClose.KERNEL32(00000000), ref: 0028C7B7

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 42c04c604be9d1472d616da3496471d400d07b2f46622c504672ac04bcf9b9f9
Instruction ID: 9c1599768bb48dd4d82096ddfdc5d5580fdaf3c7e93ab433a49bcc984384e1a7
Opcode Fuzzy Hash: 42c04c604be9d1472d616da3496471d400d07b2f46622c504672ac04bcf9b9f9
Instruction Fuzzy Hash: 5611A1366206109FD710EF69D849A2AF7E8FF84320F10851EF9A9D7290DB70AC10CF91

Function 0028A0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0029957D,?,002AFB84,?), ref: 0028A121
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0029957D,?,002AFB84,?), ref: 0028A133

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 4d38106462094063b3898bc11d2a1e2312c9c1a340312d2d75ee9d58f954998b
Instruction ID: 9ea18ba950867de6ed03f428f3be72c26c35acf3a74c56004f6b27494fb9d14b
Opcode Fuzzy Hash: 4d38106462094063b3898bc11d2a1e2312c9c1a340312d2d75ee9d58f954998b
Instruction Fuzzy Hash: 06F0E23511522DBBDB10AFA4DC4CFEA736CFF09362F004166B909D2180DA709910CFA1

Function 002784F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00278631), ref: 00278508
CloseHandle.KERNEL32(?,?,00278631), ref: 0027851A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2281db37e0131ac95b27e0e072fcfc7dc377a42cc3fd7052e65e14ac7cc039d0
Instruction ID: 58792200f9aec3e5d1e282db214ebc1bf09c720b0ffc4a2909a2d50b5095d51d
Opcode Fuzzy Hash: 2281db37e0131ac95b27e0e072fcfc7dc377a42cc3fd7052e65e14ac7cc039d0
Instruction Fuzzy Hash: 7AE04632024600AFEB252F61FC08D777BA9EB403107118829B59680830EF32ACA0DF50

Function 0024A2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00248ED7,?,?,?,00000001), ref: 0024A2DA
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0024A2E3

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b22de4b31e5334e4d80095ff8a45bd4739bf92b68c9e3cd3f5afbc837c6c8822
Instruction ID: b7cc874f780bd806d4d3aac185dfec545841f66a461a3e9601a05e19b8b1bcf4
Opcode Fuzzy Hash: b22de4b31e5334e4d80095ff8a45bd4739bf92b68c9e3cd3f5afbc837c6c8822
Instruction Fuzzy Hash: CBB09231054248ABCF802BD1FD5DB883F68EB46AA2F4040A0FE0D84060CFA654508A91

Function 0024F359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee84a043ae0dc89b2d39d9f8b43855d8d57259d0146dc125ccf710a08fc13e63
Instruction ID: 2b30f30d87dd9405645f9600a5be5926d229c130459ece33beda127fe622b220
Opcode Fuzzy Hash: ee84a043ae0dc89b2d39d9f8b43855d8d57259d0146dc125ccf710a08fc13e63
Instruction Fuzzy Hash: 77321322D39F014DDB679A34D976336A288AFF73C8F15D737E819B59A6EB28C4834100

Function 002525AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187b8e62ddd248ae54e50e8553184895a9b6ff8e2f0ed9dd75667e67d747c46e
Instruction ID: 84f153febb6526c10a26d8b35594b98115755e2c7c3c2da6feebdcbc37e5e40c
Opcode Fuzzy Hash: 187b8e62ddd248ae54e50e8553184895a9b6ff8e2f0ed9dd75667e67d747c46e
Instruction Fuzzy Hash: EDB10030D2AF404DD32396399839336BA9CAFBB2C5F51D71BFC2674D62EB2285834141

Function 0029401F Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0029403A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: cd82b34e2f7606b7aca14ef77eacd9be71ccd7ca57eebad1bc079d457756c6c9
Instruction ID: 0bcea9f1c04c264ece99f41fabaf012e6ce60410319043eeaafcce89ef8c3448
Opcode Fuzzy Hash: cd82b34e2f7606b7aca14ef77eacd9be71ccd7ca57eebad1bc079d457756c6c9
Instruction Fuzzy Hash: B3E04832224214AFD714AF99E405E56FBDCAF64764F008016FD49C7351DAB0E8518F90

Function 00284CFA Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00284D1D

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 06cc7b8e86b1b6403ecd5a3b81a90c962a637206fbca3a740857954d76c1b17a
Instruction ID: 08791e58b00bcfb13eef1f7a874d25d4ed727d946959edae17ef506e721f9ff0
Opcode Fuzzy Hash: 06cc7b8e86b1b6403ecd5a3b81a90c962a637206fbca3a740857954d76c1b17a
Instruction Fuzzy Hash: E3D05EAC1322073BFC2C3F209C1FB768208F304782FE4014A3A02860C5A8E86860A635

Function 00278A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,002786B1), ref: 00278A93

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: a171f091d7f0dc157497327be9c8746790c00852295ebd717306679e9a7b4313
Instruction ID: 02cd9f60955bdb8cebf36a94d580f3c453d99ed19d558e3b2546c681b8267b1e
Opcode Fuzzy Hash: a171f091d7f0dc157497327be9c8746790c00852295ebd717306679e9a7b4313
Instruction Fuzzy Hash: 68D05E322A050EABEF018EA4ED05EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Function 0026215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00262171

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 4d771b57cf188e4b9c212e3c51b505a3e38c1ea73504993da037987109865221
Instruction ID: 00ea6da7d744454cc05412ab11801d97bc0f47433b50da71124f9f9a668e01ac
Opcode Fuzzy Hash: 4d771b57cf188e4b9c212e3c51b505a3e38c1ea73504993da037987109865221
Instruction Fuzzy Hash: 79C04CF1811509DBCB05DBD0DA88DEE77BCAB04304F144055A141F2140DB749B54CB71

Function 0024A2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0024A2AA

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 05cf3e9e2f18522e0a08a53bc517562030564026c753fc19834728f37967e3b8
Instruction ID: a261f84168f0aacd18aae51c3e6d5212deb44b0a8f83587bfa15c66fd7a32f68
Opcode Fuzzy Hash: 05cf3e9e2f18522e0a08a53bc517562030564026c753fc19834728f37967e3b8
Instruction Fuzzy Hash: 5BA0113000020CAB8F002B82FC08888BFACEA022A0B0080A0FC0C800228B32A8208A80

Function 00238968 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67ca7ace6ba025742a870e5414d6c759fb157f1850ec8ebb57713b7845da37e
Instruction ID: c9f998e3b5b5395d717858131eedbc14ef140b0c2d39ae7906be8de21a2b05c9
Opcode Fuzzy Hash: e67ca7ace6ba025742a870e5414d6c759fb157f1850ec8ebb57713b7845da37e
Instruction Fuzzy Hash: 9C22D3B09347678BDF288E28C49467CF7A2FB01308F68846AE859DF591DBB49DA1C650

Function 00242345 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 96e0ea622f540c7ccf52dac1c2f5fbb3e947c6fb1c37025a22e7785b4c8d34c7
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: DDC1953222519349DB2D8A3A843413EFEA15AA27B239B075DF4B3DB4D4EF10C57DDA20

Function 0024277A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 16824160fad1194b4655bd35a2855b1dd80c0f5f83503909a86551d446c162fe
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 23C185322251A349DB2D4A3A843413EBFA15AA27B239B075DF8B2DB5C4EF10C57DD620

Function 0123FEC0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664843641.000000000123C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0123C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123c000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 92cd4e4ad86d45d1ad92e00e17f5e6a286161efc58eea21cc6ac88df1007f561
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 7241D571D1051CEBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB80

Function 0123FDB0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664843641.000000000123C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0123C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123c000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: ac81a2370ff459f1bd1b08d803a75857a7353703d26d4d94218e274f6a4292d5
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: B60180B9E10209EFCB44DF98D6949AEF7B5FB88210B208599E919A7701D730AE41DB81

Function 0123FD50 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664843641.000000000123C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0123C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123c000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 9bb54af2242bba8068c13fef52c45e2b9357c7c5c689760d7184312a5f43e861
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: F1018078E10209EFCB48DF98D6949AEF7B5FB88210B208599D919A7301D730AE41DB81

Function 0123E6E0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664843641.000000000123C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0123C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123c000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 0029791B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00297970
DeleteObject.GDI32(00000000), ref: 00297982
DestroyWindow.USER32 ref: 00297990
GetDesktopWindow.USER32 ref: 002979AA
GetWindowRect.USER32(00000000), ref: 002979B1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00297AF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00297B02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297B4A
GetClientRect.USER32(00000000,?), ref: 00297B56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00297B90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297BB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297BC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297BD0
GlobalLock.KERNEL32(00000000), ref: 00297BD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297BE8
GlobalUnlock.KERNEL32(00000000), ref: 00297BF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297BF8
GlobalFree.KERNEL32(00000000), ref: 00297C03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297C15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,002B2CAC,00000000), ref: 00297C2B
GlobalFree.KERNEL32(00000000), ref: 00297C3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00297C61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00297C80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297CA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297E8F

Strings

, xrefs: 00297E15
static, xrefs: 00297B8A, 00297CE1
AutoIt v3, xrefs: 00297B42
DISPLAY, xrefs: 00297CF2

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 9371f96e185591d8ee684714a4fbee4219432585adbb0a40d4a9961ea3fa919b
Instruction ID: 818b2e9814ea7d60431c1c9ea8ae1ba55cef7f416d43ba342a7a3b2280224a56
Opcode Fuzzy Hash: 9371f96e185591d8ee684714a4fbee4219432585adbb0a40d4a9961ea3fa919b
Instruction Fuzzy Hash: EC027971920215EFDF14DFA4ED89EAEBBB9EF49310F008159F915AB2A1CB349D50CB60

Function 002A35D4 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,002AF910), ref: 002A3690
IsWindowVisible.USER32(?), ref: 002A36B4

Strings

ADDSTRING, xrefs: 002A377F
ISCHECKED, xrefs: 002A38A2
SELECTSTRING, xrefs: 002A386F
GETCURRENTLINE, xrefs: 002A3956
GETSELECTED, xrefs: 002A390C
UNCHECK, xrefs: 002A38EC
TABRIGHT, xrefs: 002A3706
GETCURRENTCOL, xrefs: 002A3991
GETLINECOUNT, xrefs: 002A392F
CURRENTTAB, xrefs: 002A3726
SETCURRENTSELECTION, xrefs: 002A381F
GETLINE, xrefs: 002A3A04
TABLEFT, xrefs: 002A36F0
EDITPASTE, xrefs: 002A39C8
HIDEDROPDOWN, xrefs: 002A3769
SHOWDROPDOWN, xrefs: 002A3749
FINDSTRING, xrefs: 002A37DF
SENDCOMMANDID, xrefs: 002A3A43
ISVISIBLE, xrefs: 002A36A0
CHECK, xrefs: 002A38D6
GETCURRENTSELECTION, xrefs: 002A384C
ISENABLED, xrefs: 002A36D4
DELSTRING, xrefs: 002A37B2

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: b5b66d0cc3ce2047b58062f7496954e2769eefbf2e57faced75cd0dcec326325
Instruction ID: ecff4acf29d10b04fea4eb8e1e214d7f5b7c1f6c01f060ddaaeb3027da4fdbc6
Opcode Fuzzy Hash: b5b66d0cc3ce2047b58062f7496954e2769eefbf2e57faced75cd0dcec326325
Instruction Fuzzy Hash: 57D181302343119BCB14EF50C4D1A6AB7A5AF96750F148859F8865B3A3CF71DEAACF81

Function 002AA60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 002AA662
GetSysColorBrush.USER32(0000000F), ref: 002AA693
GetSysColor.USER32(0000000F), ref: 002AA69F
SetBkColor.GDI32(?,000000FF), ref: 002AA6B9
SelectObject.GDI32(?,00000000), ref: 002AA6C8
InflateRect.USER32(?,000000FF,000000FF), ref: 002AA6F3
GetSysColor.USER32(00000010), ref: 002AA6FB
CreateSolidBrush.GDI32(00000000), ref: 002AA702
FrameRect.USER32(?,?,00000000), ref: 002AA711
DeleteObject.GDI32(00000000), ref: 002AA718
InflateRect.USER32(?,000000FE,000000FE), ref: 002AA763
FillRect.USER32(?,?,00000000), ref: 002AA795
GetWindowLongW.USER32(?,000000F0), ref: 002AA7C0

Part of subcall function 002AA8FC: GetSysColor.USER32(00000012), ref: 002AA935
Part of subcall function 002AA8FC: SetTextColor.GDI32(?,?), ref: 002AA939
Part of subcall function 002AA8FC: GetSysColorBrush.USER32(0000000F), ref: 002AA94F
Part of subcall function 002AA8FC: GetSysColor.USER32(0000000F), ref: 002AA95A
Part of subcall function 002AA8FC: GetSysColor.USER32(00000011), ref: 002AA977
Part of subcall function 002AA8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002AA985
Part of subcall function 002AA8FC: SelectObject.GDI32(?,00000000), ref: 002AA996
Part of subcall function 002AA8FC: SetBkColor.GDI32(?,00000000), ref: 002AA99F
Part of subcall function 002AA8FC: SelectObject.GDI32(?,?), ref: 002AA9AC
Part of subcall function 002AA8FC: InflateRect.USER32(?,000000FF,000000FF), ref: 002AA9CB
Part of subcall function 002AA8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002AA9E2
Part of subcall function 002AA8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 002AA9F7
Part of subcall function 002AA8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002AAA1F

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: bf0e98ccee95de9e4222e735e4ad5d7e705b31dec3aaea66fa17e776d830f253
Instruction ID: 0d109e759a6caa93b3d22254a3d1f3473a71c4f977d474a9568d6f632bbebd4c
Opcode Fuzzy Hash: bf0e98ccee95de9e4222e735e4ad5d7e705b31dec3aaea66fa17e776d830f253
Instruction Fuzzy Hash: 28917E71418301EFCB509FA4ED4CA5BBBA9FF8A321F100B29F5A2961A0DB75D944CF52

Function 00222C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00222CA2
DeleteObject.GDI32(00000000), ref: 00222CE8
DeleteObject.GDI32(00000000), ref: 00222CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00222CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00222D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0025C5BB
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0025C5F4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0025CA1D

Part of subcall function 00221B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00222036,?,00000000,?,?,?,?,002216CB,00000000,?), ref: 00221B9A

SendMessageW.USER32(?,00001053), ref: 0025CA5A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0025CA71
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0025CA87
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0025CA92

Strings

0, xrefs: 0025C8B1

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: a8e6f8a61d2eb0cda6e80c7f6b646ab4a2df23f5d10abc5c915845b8fb079a3e
Instruction ID: 19fd8eed2124734bbe9fdeb3a175a44105b3ee0b804aea91074732dc2874caf1
Opcode Fuzzy Hash: a8e6f8a61d2eb0cda6e80c7f6b646ab4a2df23f5d10abc5c915845b8fb079a3e
Instruction Fuzzy Hash: 7412C030520212EFCB11CF24D888BA9B7E5FF09311F644569F895DB262DB31E869CF94

Function 002975C0 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 002975F3
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002976B2
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 002976F0
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00297702
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00297748
GetClientRect.USER32(00000000,?), ref: 00297754
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00297798
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002977A7
GetStockObject.GDI32(00000011), ref: 002977B7
SelectObject.GDI32(00000000,00000000), ref: 002977BB
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 002977CB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002977D4
DeleteDC.GDI32(00000000), ref: 002977DD
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00297809
SendMessageW.USER32(00000030,00000000,00000001), ref: 00297820
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0029785B
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0029786F
SendMessageW.USER32(00000404,00000001,00000000), ref: 00297880
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 002978B0
GetStockObject.GDI32(00000011), ref: 002978BB
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002978C6
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 002978D0

Strings

static, xrefs: 00297792, 002978AA
msctls_progress32, xrefs: 00297851
AutoIt v3, xrefs: 00297740
DISPLAY, xrefs: 0029779D

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 5f455d9638c6067f009f4614550b7e3cab9016c501020d5ca889751f1dbfd7e2
Instruction ID: e4f39d71161b3e98a2c6ae79caf3a0e9347c5f69565422dd5274bb6c5ad972f1
Opcode Fuzzy Hash: 5f455d9638c6067f009f4614550b7e3cab9016c501020d5ca889751f1dbfd7e2
Instruction Fuzzy Hash: 86A19271A60615BFEB14DFA4ED4AFAE7BB9EB05714F004114FA14AB2E0CB74AD10CB64

Function 0028AD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028ADAA
GetDriveTypeW.KERNEL32(?,002AFAC0,?,\\.\,002AF910), ref: 0028AE87
SetErrorMode.KERNEL32(00000000,002AFAC0,?,\\.\,002AF910), ref: 0028AFE5

Strings

Removable, xrefs: 0028AED9
1394, xrefs: 0028AF67
SSD, xrefs: 0028AF12
USB, xrefs: 0028AF7C
SSA, xrefs: 0028AF6E
iSCSI, xrefs: 0028AF8A
RAID, xrefs: 0028AF83
Virtual, xrefs: 0028AFAD
FileBackedVirtual, xrefs: 0028AFB4
Unknown, xrefs: 0028AEA7, 0028AF4B
ATAPI, xrefs: 0028AF59
SAS, xrefs: 0028AF91
SATA, xrefs: 0028AF98
Fibre, xrefs: 0028AF75
Network, xrefs: 0028AEC5
ATA, xrefs: 0028AF60
SCSI, xrefs: 0028AF52
CDROM, xrefs: 0028AEBB
MMC, xrefs: 0028AFA6
RAMDisk, xrefs: 0028AEB1
\\.\, xrefs: 0028ADFC
PhysicalDrive, xrefs: 0028AE33
Fixed, xrefs: 0028AECF

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: cae12095dcb372e25a1c8826e560e3d201f774d3c19a3d606b6129eb612437f9
Instruction ID: add6217bc4f596b4f20941ff4e069f01dddbd99fdbd55c19758b32450d8be17d
Opcode Fuzzy Hash: cae12095dcb372e25a1c8826e560e3d201f774d3c19a3d606b6129eb612437f9
Instruction Fuzzy Hash: 6151A4B867A605ABEB00FF50C982879B3B0AB157047204457FA06A76D0CF729D72DF83

Function 00226A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00226A91
__wcsnicmp.LIBCMT ref: 00226AA9
__wcsnicmp.LIBCMT ref: 00226AC1
__wcsnicmp.LIBCMT ref: 00226AD9
__wcsnicmp.LIBCMT ref: 00226AF1
__wcsnicmp.LIBCMT ref: 00226B09
__wcsnicmp.LIBCMT ref: 00226B21
__wcsnicmp.LIBCMT ref: 00226B35
__wcsnicmp.LIBCMT ref: 00226B76
__wcsnicmp.LIBCMT ref: 00226B8A
__wcsnicmp.LIBCMT ref: 00226B9E
__wcsnicmp.LIBCMT ref: 00226BB2

Strings

#notrayicon, xrefs: 00226AA3
Bad directive syntax error, xrefs: 0025E673
#requireadmin, xrefs: 00226ABB
#comments-start, xrefs: 00226B1B, 00226B70
#comments-end, xrefs: 00226B98
#include-once, xrefs: 00226AEB
#ce, xrefs: 00226BAC
Cannot parse #include, xrefs: 0025E749
#OnAutoItStartRegister, xrefs: 00226AD3
Unterminated group of comments, xrefs: 0025E75C
#pragma compile, xrefs: 00226A8B
#include, xrefs: 00226B03
#cs, xrefs: 00226B2F, 00226B84

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 1d16d801992bdfd27b7e07976c8844558925a16c965add0b21a8db9e8a9f9a34
Instruction ID: dfbbc9ee8a4d56956bdb45d17a72a82abbdc0ddeede061c0b7b356ea856151d5
Opcode Fuzzy Hash: 1d16d801992bdfd27b7e07976c8844558925a16c965add0b21a8db9e8a9f9a34
Instruction Fuzzy Hash: 0B815D71634322BBCF24AFA1DC86FAE7368AF15754F044020FD45AA192EB70DB75CA94

Function 002AA8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 002AA935
SetTextColor.GDI32(?,?), ref: 002AA939
GetSysColorBrush.USER32(0000000F), ref: 002AA94F
GetSysColor.USER32(0000000F), ref: 002AA95A
CreateSolidBrush.GDI32(?), ref: 002AA95F
GetSysColor.USER32(00000011), ref: 002AA977
CreatePen.GDI32(00000000,00000001,00743C00), ref: 002AA985
SelectObject.GDI32(?,00000000), ref: 002AA996
SetBkColor.GDI32(?,00000000), ref: 002AA99F
SelectObject.GDI32(?,?), ref: 002AA9AC
InflateRect.USER32(?,000000FF,000000FF), ref: 002AA9CB
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002AA9E2
GetWindowLongW.USER32(00000000,000000F0), ref: 002AA9F7
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002AAA1F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002AAA46
InflateRect.USER32(?,000000FD,000000FD), ref: 002AAA64
DrawFocusRect.USER32(?,?), ref: 002AAA6F
GetSysColor.USER32(00000011), ref: 002AAA7D
SetTextColor.GDI32(?,00000000), ref: 002AAA85
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 002AAA99
SelectObject.GDI32(?,002AA62C), ref: 002AAAB0
DeleteObject.GDI32(?), ref: 002AAABB
SelectObject.GDI32(?,?), ref: 002AAAC1
DeleteObject.GDI32(?), ref: 002AAAC6
SetTextColor.GDI32(?,?), ref: 002AAACC
SetBkColor.GDI32(?,?), ref: 002AAAD6

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 92ceb8d6c8b23864a5dbf9ead1686db94223dc3e015f7d67e0524886768bd7de
Instruction ID: 7cc718d0390e39f041587dab093f475c821ab90e9eaec6080ed4a940b7533b58
Opcode Fuzzy Hash: 92ceb8d6c8b23864a5dbf9ead1686db94223dc3e015f7d67e0524886768bd7de
Instruction Fuzzy Hash: BD516D71900209FFDF509FA4ED48EAEBBB9EF09320F114225F915AB2A1DB759950CF90

Function 002A8A07 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002A8AF3
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A8B04
CharNextW.USER32(0000014E), ref: 002A8B33
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002A8B74
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002A8B8A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A8B9B
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 002A8BB8
SetWindowTextW.USER32(?,0000014E), ref: 002A8C0A
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 002A8C20
SendMessageW.USER32(?,00001002,00000000,?), ref: 002A8C51
_memset.LIBCMT ref: 002A8C76
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 002A8CBF
_memset.LIBCMT ref: 002A8D1E
SendMessageW.USER32(?,00001053,000000FF,?), ref: 002A8D48
SendMessageW.USER32(?,00001074,?,00000001), ref: 002A8DA0
SendMessageW.USER32(?,0000133D,?,?), ref: 002A8E4D
InvalidateRect.USER32(?,00000000,00000001), ref: 002A8E6F
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002A8EB9
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002A8EE6
DrawMenuBar.USER32(?), ref: 002A8EF5
SetWindowTextW.USER32(?,0000014E), ref: 002A8F1D

Strings

0, xrefs: 002A8E87

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 5282f2a2f97fa85711ca5a6bc9448159180bd7aadfebd807f7ddee1c788f7185
Instruction ID: 2572be38a4a4f05a51af2e1e93c91329bb27850d2570401e14d44e22dac23ed5
Opcode Fuzzy Hash: 5282f2a2f97fa85711ca5a6bc9448159180bd7aadfebd807f7ddee1c788f7185
Instruction Fuzzy Hash: D6E1A170920219AFDF209F60CC88EEE7BB9FF06750F508156F9159A291DF7489A4CF60

Function 002A48F8 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002A4A33
GetDesktopWindow.USER32 ref: 002A4A48
GetWindowRect.USER32(00000000), ref: 002A4A4F
GetWindowLongW.USER32(?,000000F0), ref: 002A4AB1
DestroyWindow.USER32(?), ref: 002A4ADD
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002A4B06
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A4B24
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002A4B4A
SendMessageW.USER32(?,00000421,?,?), ref: 002A4B5F
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002A4B72
IsWindowVisible.USER32(?), ref: 002A4B92
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 002A4BAD
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 002A4BC1
GetWindowRect.USER32(?,?), ref: 002A4BD9
MonitorFromPoint.USER32(?,?,00000002), ref: 002A4BFF
GetMonitorInfoW.USER32(00000000,?), ref: 002A4C19
CopyRect.USER32(?,?), ref: 002A4C30
SendMessageW.USER32(?,00000412,00000000), ref: 002A4C9B

Strings

(, xrefs: 002A4C0C
0, xrefs: 002A49DE
tooltips_class32, xrefs: 002A4AFF

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6a1e899ca5114bea9365bab359c5a7925c72c8302e677ceb7cc4cfe658f5a1e9
Instruction ID: 13b474a84014acd3ec1fcda8a5b1e2fc4d2c5139c7e41f628c721de27ebe4598
Opcode Fuzzy Hash: 6a1e899ca5114bea9365bab359c5a7925c72c8302e677ceb7cc4cfe658f5a1e9
Instruction Fuzzy Hash: E3B1BC70614301AFDB44EF64D988B6ABBE4FF89710F00891DF5999B291DBB0EC14CB95

Function 002227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002228BC
GetSystemMetrics.USER32(00000007), ref: 002228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002228EF
GetSystemMetrics.USER32(00000008), ref: 002228F7
GetSystemMetrics.USER32(00000004), ref: 0022291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00222939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00222949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0022297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00222990
GetClientRect.USER32(00000000,000000FF), ref: 002229AE
GetStockObject.GDI32(00000011), ref: 002229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 002229D5

Part of subcall function 00222344: GetCursorPos.USER32(?), ref: 00222357
Part of subcall function 00222344: ScreenToClient.USER32(002E57B0,?), ref: 00222374
Part of subcall function 00222344: GetAsyncKeyState.USER32(00000001), ref: 00222399
Part of subcall function 00222344: GetAsyncKeyState.USER32(00000002), ref: 002223A7

SetTimer.USER32(00000000,00000000,00000028,00221256), ref: 002229FC

Strings

AutoIt v3 GUI, xrefs: 00222974

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c07636513fa54c80787d57775c4d7313f89e609a92451b564eab26f7e6d17384
Instruction ID: d2060401708def2f94ad1081d4177e8c90672f5845436259b91b94606a1975b1
Opcode Fuzzy Hash: c07636513fa54c80787d57775c4d7313f89e609a92451b564eab26f7e6d17384
Instruction Fuzzy Hash: 47B18F71A2021AEFDB14DFE8ED89BAD7BA4FB08315F104229FA15D6290DB74D864CB50

Function 0027A844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0027A885
__swprintf.LIBCMT ref: 0027A926
_wcscmp.LIBCMT ref: 0027A939
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0027A98E
_wcscmp.LIBCMT ref: 0027A9CA
GetClassNameW.USER32(?,?,00000400), ref: 0027AA01
GetDlgCtrlID.USER32(?), ref: 0027AA53
GetWindowRect.USER32(?,?), ref: 0027AA89
GetParent.USER32(?), ref: 0027AAA7
ScreenToClient.USER32(00000000), ref: 0027AAAE
GetClassNameW.USER32(?,?,00000100), ref: 0027AB28
_wcscmp.LIBCMT ref: 0027AB3C
GetWindowTextW.USER32(?,?,00000400), ref: 0027AB62
_wcscmp.LIBCMT ref: 0027AB76

Part of subcall function 002437AC: _iswctype.LIBCMT ref: 002437B4

Strings

%s%u, xrefs: 0027A920

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 7ebd2717ca0ee3ccad7139cda53b07deb293ee6b959736a64dfbb09fb126b858
Instruction ID: 6a9f27f8e9e12f8fd5aca10c48559c45c105cd287fd746b0790426ad20481c81
Opcode Fuzzy Hash: 7ebd2717ca0ee3ccad7139cda53b07deb293ee6b959736a64dfbb09fb126b858
Instruction Fuzzy Hash: 76A1C171224207AFD718DF64C884BAEF7E9FF94324F108529F99D82190DB30E965CB92

Function 0027B196 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0027B1DA
_wcscmp.LIBCMT ref: 0027B1EB
GetWindowTextW.USER32(00000001,?,00000400), ref: 0027B213
CharUpperBuffW.USER32(?,00000000), ref: 0027B230
_wcscmp.LIBCMT ref: 0027B24E
_wcsstr.LIBCMT ref: 0027B25F
GetClassNameW.USER32(00000018,?,00000400), ref: 0027B297
_wcscmp.LIBCMT ref: 0027B2A7
GetWindowTextW.USER32(00000002,?,00000400), ref: 0027B2CE
GetClassNameW.USER32(00000018,?,00000400), ref: 0027B317
_wcscmp.LIBCMT ref: 0027B327
GetClassNameW.USER32(00000010,?,00000400), ref: 0027B34F
GetWindowRect.USER32(00000004,?), ref: 0027B3B8

Strings

@, xrefs: 0027B1BB
ThumbnailClass, xrefs: 0027B2A2, 0027B322

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: ef1087dd3e9564e549ad7cdbe09e281dc25e9003da92f0bbbc38c2ba91c75b69
Instruction ID: 6c66ec2c20babb508b076226ef782915c57504d3ad735bbda38ac4cb262d76e7
Opcode Fuzzy Hash: ef1087dd3e9564e549ad7cdbe09e281dc25e9003da92f0bbbc38c2ba91c75b69
Instruction Fuzzy Hash: 6781C0710283069FDB06DF10C995FAA7BE8EF44314F04C4AAFD899A0A6DB34DD65CB61

Function 002AC668 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

DragQueryPoint.SHELL32(?,?), ref: 002AC691

Part of subcall function 002AAB69: ClientToScreen.USER32(?,?), ref: 002AAB92
Part of subcall function 002AAB69: GetWindowRect.USER32(?,?), ref: 002AAC08
Part of subcall function 002AAB69: PtInRect.USER32(?,?,002AC07E), ref: 002AAC18

SendMessageW.USER32(?,000000B0,?,?), ref: 002AC6FA
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002AC705
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002AC728
_wcscat.LIBCMT ref: 002AC758
SendMessageW.USER32(?,000000C2,00000001,?), ref: 002AC76F
SendMessageW.USER32(?,000000B0,?,?), ref: 002AC788
SendMessageW.USER32(?,000000B1,?,?), ref: 002AC79F
SendMessageW.USER32(?,000000B1,?,?), ref: 002AC7C1
DragFinish.SHELL32(?), ref: 002AC7C8
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002AC8BB

Strings

@GUI_DRAGFILE, xrefs: 002AC86A
@GUI_DRAGID, xrefs: 002AC833
@GUI_DROPID, xrefs: 002AC7E8
pb., xrefs: 002AC805

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb.
API String ID: 169749273-1174233046
Opcode ID: 4f7659002a7f29bc8c7c2f9f7d14d450a3d4aded0c68409df777fb074376f732
Instruction ID: 057cf1355b7a44122325f9e4a6810b80522ecfe26828f990fcb80192f1508a76
Opcode Fuzzy Hash: 4f7659002a7f29bc8c7c2f9f7d14d450a3d4aded0c68409df777fb074376f732
Instruction Fuzzy Hash: 04615E71118311AFC701DFA0EC89D9BBBE8FF89710F10092EF695962A1DB709959CF92

Function 0027AFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0027B03E

Strings

[REGEXPTITLE:, xrefs: 0027B066
LAST, xrefs: 0027B003
[HANDLE:, xrefs: 0027B04A
REGEXP=, xrefs: 0027B053
[LAST, xrefs: 0027B0EB
CLASSNAME=, xrefs: 0027B07B
[CLASS:, xrefs: 0027B08E
[ALL, xrefs: 0027B0E4
ACTIVE, xrefs: 0027B019
[ACTIVE, xrefs: 0027B02B
HANDLE=, xrefs: 0027B037
ALL, xrefs: 0027B0D2

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 2ce45414c938f7d7b44ec5c4a356524ba9d3ef520995af591ddea86bb52efdfd
Instruction ID: 399cf6b16318c450d4ce7b1515936d9421b3a96bdcc82794a97e777c08fa750b
Opcode Fuzzy Hash: 2ce45414c938f7d7b44ec5c4a356524ba9d3ef520995af591ddea86bb52efdfd
Instruction Fuzzy Hash: 5531D030A7C226B6DA25EAA0DC53FAF73A49F21710F60451AB419711D2FFB16F34CA50

Function 0027C2C0 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0027C2D3
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0027C2E5
SetWindowTextW.USER32(?,?), ref: 0027C2FC
GetDlgItem.USER32(?,000003EA), ref: 0027C311
SetWindowTextW.USER32(00000000,?), ref: 0027C317
GetDlgItem.USER32(?,000003E9), ref: 0027C327
SetWindowTextW.USER32(00000000,?), ref: 0027C32D
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0027C34E
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0027C368
GetWindowRect.USER32(?,?), ref: 0027C371
SetWindowTextW.USER32(?,?), ref: 0027C3DC
GetDesktopWindow.USER32 ref: 0027C3E2
GetWindowRect.USER32(00000000), ref: 0027C3E9
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0027C435
GetClientRect.USER32(?,?), ref: 0027C442
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0027C467
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0027C492

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 526e02d4025a599bac03f14a077e25d7021bc635a9a37c80df9988f368798fdb
Instruction ID: 30bb236de2add41f6afd262a20857a43cb2c2757f0894a36958ea3c38457e57a
Opcode Fuzzy Hash: 526e02d4025a599bac03f14a077e25d7021bc635a9a37c80df9988f368798fdb
Instruction Fuzzy Hash: D3513D3190070AAFDB209FB8DE89B6EBBB5FF04705F10852CE656A25A0DB74A954CB50

Function 00295113 Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00295129
LoadCursorW.USER32(00000000,00007F00), ref: 00295134
LoadCursorW.USER32(00000000,00007F03), ref: 0029513F
LoadCursorW.USER32(00000000,00007F8B), ref: 0029514A
LoadCursorW.USER32(00000000,00007F01), ref: 00295155
LoadCursorW.USER32(00000000,00007F81), ref: 00295160
LoadCursorW.USER32(00000000,00007F88), ref: 0029516B
LoadCursorW.USER32(00000000,00007F80), ref: 00295176
LoadCursorW.USER32(00000000,00007F86), ref: 00295181
LoadCursorW.USER32(00000000,00007F83), ref: 0029518C
LoadCursorW.USER32(00000000,00007F85), ref: 00295197
LoadCursorW.USER32(00000000,00007F82), ref: 002951A2
LoadCursorW.USER32(00000000,00007F84), ref: 002951AD
LoadCursorW.USER32(00000000,00007F04), ref: 002951B8
LoadCursorW.USER32(00000000,00007F02), ref: 002951C3
LoadCursorW.USER32(00000000,00007F89), ref: 002951CE
GetCursorInfo.USER32(?), ref: 002951DE

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 92077c04a9795ba149fdb7ef99c7ce39560739c9862e00c87875d7337dcaad28
Instruction ID: 58bbc190147dbc7d71d0ec4629b9707abde929145fb616189bac31acce2c2788
Opcode Fuzzy Hash: 92077c04a9795ba149fdb7ef99c7ce39560739c9862e00c87875d7337dcaad28
Instruction Fuzzy Hash: CF3107B0E5832A6ADF109FB69C8995FFEE8FF04750F50453AE50DE7280DA7865008F91

Function 002AA1EB Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002AA28B
DestroyWindow.USER32(?,?), ref: 002AA305

Part of subcall function 00227D2C: _memmove.LIBCMT ref: 00227D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002AA37F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002AA3A1
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002AA3B4
DestroyWindow.USER32(00000000), ref: 002AA3D6
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00220000,00000000), ref: 002AA40D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002AA426
GetDesktopWindow.USER32 ref: 002AA43F
GetWindowRect.USER32(00000000), ref: 002AA446
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002AA45E
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002AA476

Part of subcall function 002225DB: GetWindowLongW.USER32(?,000000EB), ref: 002225EC

Strings

0, xrefs: 002AA2A1
tooltips_class32, xrefs: 002AA378, 002AA406

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 7ee64a23f8a40731b2b6edc19ce8565d1db6694378bae642ff46a9d983989d50
Instruction ID: 8c1fe85ca4d01f1fd73f631a47d57667f4580e9eb01a885a0f51a1b9e38a43a4
Opcode Fuzzy Hash: 7ee64a23f8a40731b2b6edc19ce8565d1db6694378bae642ff46a9d983989d50
Instruction Fuzzy Hash: 2C719B70160645AFDB20CF28DC48F6677F9EF8A704F04051DF9868B2A0DBB4A965CF62

Function 002AB832 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002AB8E8
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,002A6B43,?), ref: 002AB944
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002AB97D
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002AB9C0
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002AB9F7
FreeLibrary.KERNEL32(?), ref: 002ABA03
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002ABA13
DestroyIcon.USER32(?), ref: 002ABA22
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002ABA3F
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002ABA4B

Part of subcall function 0024307D: __wcsicmp_l.LIBCMT ref: 00243106

Strings

.dll, xrefs: 002AB8A1
Ck*, xrefs: 002AB83B, 002ABA51, 002AB8FB, 002AB9D2, 002AB959
.exe, xrefs: 002AB87E
.icl, xrefs: 002AB85E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl$Ck*
API String ID: 1212759294-468209006
Opcode ID: ab50c30620441eebe4b6744423cfc400302eb193fbe7877edb88081875c81547
Instruction ID: 8400fdbf1f01342bf5be55ec5858f49197eb71deeace0e2f310e805cb39714cb
Opcode Fuzzy Hash: ab50c30620441eebe4b6744423cfc400302eb193fbe7877edb88081875c81547
Instruction Fuzzy Hash: 6961207192061ABFEB25CF64DC45BBA77A8EF0A710F10411AF915D60C2DF7499A0CBA0

Function 002A43FB Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002A448D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002A44D8

Strings

GETITEMCOUNT, xrefs: 002A45BA
ISCHECKED, xrefs: 002A465B
SELECT, xrefs: 002A4689
GETTOTALCOUNT, xrefs: 002A44BF
GETSELECTED, xrefs: 002A45E8
UNCHECK, xrefs: 002A46B4
CHECK, xrefs: 002A44F8
EXISTS, xrefs: 002A4541
COLLAPSE, xrefs: 002A451E
GETTEXT, xrefs: 002A462B
EXPAND, xrefs: 002A458A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 43b2351a965f2937ad4edaa3ad27e4fab4f50b41f80038b00336192692d96521
Instruction ID: e5153a1758dd933ec756c8b65818887fcda677cb9fc921611e63886374cefd42
Opcode Fuzzy Hash: 43b2351a965f2937ad4edaa3ad27e4fab4f50b41f80038b00336192692d96521
Instruction Fuzzy Hash: C391A0302247119FCB14FF50C891A69B7A5AF85710F14885DF8965B3A2CF71EDAACF81

Function 0028A3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00229997: __itow.LIBCMT ref: 002299C2
Part of subcall function 00229997: __swprintf.LIBCMT ref: 00229A0C

CharLowerBuffW.USER32(?,?), ref: 0028A455
GetDriveTypeW.KERNEL32 ref: 0028A4A2
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0028A4EA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0028A521
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0028A54F

Part of subcall function 00227D2C: _memmove.LIBCMT ref: 00227D66

Strings

closed, xrefs: 0028A469, 0028A472
open, xrefs: 0028A47C
wait, xrefs: 0028A50C
close, xrefs: 0028A45B
type cdaudio alias cd wait, xrefs: 0028A4CD
open , xrefs: 0028A4B1
set cd door , xrefs: 0028A4F0
close cd wait, xrefs: 0028A53A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: fa7f8327c86b91fe48c1b4cd3e7a91ec4bd9ae0fb9e62ff9a29bae98b1504ebf
Instruction ID: c4cfefd14fd012f16872b94697fbf9630844daccd17874d38a6fb22d691f0318
Opcode Fuzzy Hash: fa7f8327c86b91fe48c1b4cd3e7a91ec4bd9ae0fb9e62ff9a29bae98b1504ebf
Instruction Fuzzy Hash: 7B518C71528315AFC700EF20D89186AB7E4FF84718F10896EF886572A1DB31EE26CF42

Function 0025AA4B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0025AAAB
___wtomb_environ.LIBCMT ref: 0025AACD

Part of subcall function 00248CA8: __getptd_noexit.LIBCMT ref: 00248CA8

__malloc_crt.LIBCMT ref: 0025AAF5
__malloc_crt.LIBCMT ref: 0025AB12
_free.LIBCMT ref: 0025AB49
__recalloc_crt.LIBCMT ref: 0025AB82
__recalloc_crt.LIBCMT ref: 0025ABC7
_strlen.LIBCMT ref: 0025ABF3
__calloc_crt.LIBCMT ref: 0025ABFD
_strlen.LIBCMT ref: 0025AC0C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0025AC3A
_free.LIBCMT ref: 0025AC54
_free.LIBCMT ref: 0025AC61
_free.LIBCMT ref: 0025AC73
__invoke_watson.LIBCMT ref: 0025AC8D

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 22847ad73d19859bb69e23f49b5f97466aa03b50588a317e3013c3bb23acd30e
Instruction ID: 08edabc98908d0f95417ca20c0d33916d18ea8c6da7b919451215bda57b85172
Opcode Fuzzy Hash: 22847ad73d19859bb69e23f49b5f97466aa03b50588a317e3013c3bb23acd30e
Instruction Fuzzy Hash: 7761F472930212EFDB249F28D94676E77A8EF10327F10431AEC059B181DB74D968CB9A

Function 002ABA67 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 002ABA8A
GetFileSize.KERNEL32(00000000,00000000), ref: 002ABAA1
GlobalAlloc.KERNEL32(00000002,00000000), ref: 002ABAAC
CloseHandle.KERNEL32(00000000), ref: 002ABAB9
GlobalLock.KERNEL32(00000000), ref: 002ABAC2
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 002ABAD1
GlobalUnlock.KERNEL32(00000000), ref: 002ABADA
CloseHandle.KERNEL32(00000000), ref: 002ABAE1
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 002ABAF2
OleLoadPicture.OLEAUT32(?,00000000,00000000,002B2CAC,?), ref: 002ABB0B
GlobalFree.KERNEL32(00000000), ref: 002ABB1B
GetObjectW.GDI32(?,00000018,000000FF), ref: 002ABB3F
CopyImage.USER32(?,00000000,?,?,00002000), ref: 002ABB6A
DeleteObject.GDI32(00000000), ref: 002ABB92
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002ABBA8

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 536fe5a79b1db5a6fad0e9495dfa4cbe4462bae84c1879c946e01047bc60e2af
Instruction ID: 4886c2c15a651a103bd2b5813664b3be397f480476c60637b803384077cd4811
Opcode Fuzzy Hash: 536fe5a79b1db5a6fad0e9495dfa4cbe4462bae84c1879c946e01047bc60e2af
Instruction Fuzzy Hash: 78416A35600209EFCB618FA5ED8CEAA7BB8EF8A711F104068F909D7261DB349D10DB60

Function 0028D925 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0028DA9C
_wcscat.LIBCMT ref: 0028DAB4
_wcscat.LIBCMT ref: 0028DAC6
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0028DADB
SetCurrentDirectoryW.KERNEL32(?), ref: 0028DAEF
GetFileAttributesW.KERNEL32(?), ref: 0028DB07
SetFileAttributesW.KERNEL32(?,00000000), ref: 0028DB21
SetCurrentDirectoryW.KERNEL32(?), ref: 0028DB33

Strings

*.*, xrefs: 0028DB72

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: e2fcccaed64f7689b42bf789c5adfb779a441503479d1b190cd4dd274ff91432
Instruction ID: f6ecd6544c0c265082b29a40fa4fbacf9c794e34a6d2148dcd87149493b4c96d
Opcode Fuzzy Hash: e2fcccaed64f7689b42bf789c5adfb779a441503479d1b190cd4dd274ff91432
Instruction Fuzzy Hash: 0B81B4795292419FCB24FF64C844A6AB7E4BF88314F28482EF886C72D1DA70DD58CB52

Function 002AC216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002AC266
GetFocus.USER32 ref: 002AC276
GetDlgCtrlID.USER32(00000000), ref: 002AC281
_memset.LIBCMT ref: 002AC3AC
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 002AC3D7
GetMenuItemCount.USER32(?), ref: 002AC3F7
GetMenuItemID.USER32(?,00000000), ref: 002AC40A
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 002AC43E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002AC486
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002AC4BE
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 002AC4F3

Strings

0, xrefs: 002AC3A4

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 394387238a818daba37e3045c260b535b91a8e89fb26395163358b24f2ed4d60
Instruction ID: 3dca03cce4e7222f742b61b208430807de434c6a7ed1ea273d5c2b0db04a9c81
Opcode Fuzzy Hash: 394387238a818daba37e3045c260b535b91a8e89fb26395163358b24f2ed4d60
Instruction Fuzzy Hash: E081A071528312AFDB10CF14D894A7ABBE8FF8E714F20452DF99597291CB70D825CBA2

Function 0029742F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002974A4
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 002974B0
CreateCompatibleDC.GDI32(?), ref: 002974BC
SelectObject.GDI32(00000000,?), ref: 002974C9
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0029751D
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00297559
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0029757D
SelectObject.GDI32(00000006,?), ref: 00297585
DeleteObject.GDI32(?), ref: 0029758E
DeleteDC.GDI32(00000006), ref: 00297595
ReleaseDC.USER32(00000000,?), ref: 002975A0

Strings

(, xrefs: 00297525

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c1352a9a38917bb7a07187d75060998b1bdbbbe79f54a8a69d21450a85bcced7
Instruction ID: 37af96bdf6939be7409341310352ec7d907a57125d9a5edf965368d68ffb04ac
Opcode Fuzzy Hash: c1352a9a38917bb7a07187d75060998b1bdbbbe79f54a8a69d21450a85bcced7
Instruction Fuzzy Hash: C0516B71914209EFCB24CFA8DC88EAEBBB9EF49710F14842DF98997211D735A850CF50

Function 00226BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00240AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00226C6C,?,00008000), ref: 00240AF3

Part of subcall function 002248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002248A1,?,?,002237C0,?), ref: 002248CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00226D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00226E5A

Part of subcall function 002259CD: _wcscpy.LIBCMT ref: 00225A05

Part of subcall function 002437BD: _iswctype.LIBCMT ref: 002437C5

Strings

Bad directive syntax error, xrefs: 0025EAF6
Unterminated string, xrefs: 0025EB3D
EA06, xrefs: 0025E7AB
AU3!, xrefs: 00226CC1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0025E77A
Error opening the file, xrefs: 0025E796, 0025E811
>>>AUTOIT SCRIPT<<<, xrefs: 0025E7EF

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 525dabcfa201326a4311f3a3bbfb20d7187e3d86aecb3af081af2f1e5ce2b082
Instruction ID: b09284076370d0262e456f0ab69b7164b35210467a95ce005cc5f59270013672
Opcode Fuzzy Hash: 525dabcfa201326a4311f3a3bbfb20d7187e3d86aecb3af081af2f1e5ce2b082
Instruction Fuzzy Hash: 4302A131128351AFCB24EF60D881AAFBBE5BF99314F14491DF485972A1DB30DA69CF42

Function 002245DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002245F9
GetMenuItemCount.USER32(002E5890), ref: 0025D6FD
GetMenuItemCount.USER32(002E5890), ref: 0025D7AD
GetCursorPos.USER32(?), ref: 0025D7F1
SetForegroundWindow.USER32(00000000), ref: 0025D7FA
TrackPopupMenuEx.USER32(002E5890,00000000,?,00000000,00000000,00000000), ref: 0025D80D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0025D819

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 89bc94b07fbe2133b54b01592fe6b57681cc8141127796c3aa32630fbb5ec1c1
Instruction ID: 2c65cd29ae5c8177dfef76e009ddafed2bfe03fba6ac448976541ad7bcb1233b
Opcode Fuzzy Hash: 89bc94b07fbe2133b54b01592fe6b57681cc8141127796c3aa32630fbb5ec1c1
Instruction Fuzzy Hash: 1A71F530661216BFEB309F94EC49FAABF68FF05365F100216F919AA1E0CBB55874CB54

Function 002989C0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002989EC
CoInitialize.OLE32(00000000), ref: 00298A19
CoUninitialize.OLE32 ref: 00298A23
GetRunningObjectTable.OLE32(00000000,?), ref: 00298B23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00298C50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,002B2C0C), ref: 00298C84
CoGetObject.OLE32(?,00000000,002B2C0C,?), ref: 00298CA7
SetErrorMode.KERNEL32(00000000), ref: 00298CBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00298D3A
VariantClear.OLEAUT32(?), ref: 00298D4A

Strings

,,+, xrefs: 002989D6

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,+
API String ID: 2395222682-1536947320
Opcode ID: 21aeda50cce516e706ce6256246813173251e9945911521ed4282ce8ca8d7333
Instruction ID: 940a2a1aeeff8d86de0f770d7e1ecffeadfe97d2ddcc02473ee1b6f1192a6e6c
Opcode Fuzzy Hash: 21aeda50cce516e706ce6256246813173251e9945911521ed4282ce8ca8d7333
Instruction Fuzzy Hash: 1DC123B1218305AFDB00DF64C88492BB7E9FF8A348F08491DF58A9B251DB71ED55CB62

Function 002A0EA5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029FE38,?,?), ref: 002A0EBC

Strings

HKLM, xrefs: 002A0F3A
HKCC, xrefs: 002A0F8A
HKEY_USERS, xrefs: 002A0FBD
HKCR, xrefs: 002A0F64
HKCU, xrefs: 002A0FAC
HKEY_LOCAL_MACHINE, xrefs: 002A0F25
HKEY_CURRENT_USER, xrefs: 002A0F9B
HKU, xrefs: 002A0FCE
HKEY_CLASSES_ROOT, xrefs: 002A0F4F
HKEY_CURRENT_CONFIG, xrefs: 002A0F79

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 13f201b089c4224cc01609e878bf109adf99dda604adff9a89f83ead45a1c131
Instruction ID: 1f14c4ad7f5869ecf064f4f689bccb068acbb463136c542579ceaee010816e07
Opcode Fuzzy Hash: 13f201b089c4224cc01609e878bf109adf99dda604adff9a89f83ead45a1c131
Instruction Fuzzy Hash: 4D416A3013429A9BCF24EF50E8E1AEE3724AF16310F544416FD516B292DF359DBACBA0

Function 0028536E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00227D2C: _memmove.LIBCMT ref: 00227D66

Part of subcall function 00227A84: _memmove.LIBCMT ref: 00227B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002853D7
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002853ED
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002853FE
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00285410
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00285421

Strings

close PlayMe, xrefs: 002853E8, 00285415
alias PlayMe, xrefs: 002853B0
play PlayMe, xrefs: 0028541C
play PlayMe wait, xrefs: 0028540B
open , xrefs: 00285386
status PlayMe mode, xrefs: 002853D2

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 43f3a3c687759caa18e879df3670b846877f99f208fb6eb70f5119857c39954d
Instruction ID: 15916a0f0f50aa7b7291b143b8c6f203409c1f590ca315b7f8864260665f8fc8
Opcode Fuzzy Hash: 43f3a3c687759caa18e879df3670b846877f99f208fb6eb70f5119857c39954d
Instruction Fuzzy Hash: 2F11CB25A7513979D720BBA1DC46DFFBB7CEB92B40F00041AB401A21D1DE604D65CAF0

Function 002846F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00284713
gethostname.WSOCK32(?,00000100), ref: 0028472D
gethostbyname.WSOCK32(?), ref: 0028473A
_wcscpy.LIBCMT ref: 00284762
_memmove.LIBCMT ref: 00284775
inet_ntoa.WSOCK32(?), ref: 00284780
_strcat.LIBCMT ref: 0028478E
_wcscpy.LIBCMT ref: 002847A5
WSACleanup.WSOCK32 ref: 002847B3
_wcscpy.LIBCMT ref: 002847C1

Strings

0.0.0.0, xrefs: 0028475C

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 3017bdb607dd07e446c2abdde58e68597edcb313fe1c7008d57834b8c332a506
Instruction ID: b24d0dcdf986e9f0d5522fde4281ef2ec10af3e35a3660fc44e9c52dbe210139
Opcode Fuzzy Hash: 3017bdb607dd07e446c2abdde58e68597edcb313fe1c7008d57834b8c332a506
Instruction Fuzzy Hash: B6112735924116AFDB24BB60ED4AEDAB7BCDF03710F410176F504960D1FFB88AA98B90

Function 0028501C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00285021

Part of subcall function 0024034A: timeGetTime.WINMM(?,75C0B400,00230FDB), ref: 0024034E

Sleep.KERNEL32(0000000A), ref: 0028504D
EnumThreadWindows.USER32(?,Function_00064FCF,00000000), ref: 00285071
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00285093
SetActiveWindow.USER32 ref: 002850B2
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002850C0
SendMessageW.USER32(00000010,00000000,00000000), ref: 002850DF
Sleep.KERNEL32(000000FA), ref: 002850EA
IsWindow.USER32 ref: 002850F6
EndDialog.USER32(00000000), ref: 00285107

Strings

BUTTON, xrefs: 00285085

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: d799f0d530f014f32644bec7a7814a39a2b1b28f0a2b70fac94055f0342f5959
Instruction ID: 450a9a8af58f5bc4ed772a6fddc2d5bc352b22e0579f9414395207c18a5162c7
Opcode Fuzzy Hash: d799f0d530f014f32644bec7a7814a39a2b1b28f0a2b70fac94055f0342f5959
Instruction Fuzzy Hash: CE21CF74252A55AFE7406FB0FDCCB363B6DEB1A785B440028F505852F1DF658C608B71

Function 0028D619 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00229997: __itow.LIBCMT ref: 002299C2
Part of subcall function 00229997: __swprintf.LIBCMT ref: 00229A0C

CoInitialize.OLE32(00000000), ref: 0028D676
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0028D709
SHGetDesktopFolder.SHELL32(?), ref: 0028D71D
CoCreateInstance.OLE32(002B2D7C,00000000,00000001,002D8C1C,?), ref: 0028D769
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0028D7D8
CoTaskMemFree.OLE32(?,?), ref: 0028D830
_memset.LIBCMT ref: 0028D86D
SHBrowseForFolderW.SHELL32(?), ref: 0028D8A9
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0028D8CC
CoTaskMemFree.OLE32(00000000), ref: 0028D8D3
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0028D90A
CoUninitialize.OLE32(00000001,00000000), ref: 0028D90C

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 8df91a615d3b44679e11777d0f52934bd63055be895b581df1b75d13f09aaf71
Instruction ID: 7d2cefbc014f224de24cf0cdde260e79a51022add69994066193b7ef64e0391e
Opcode Fuzzy Hash: 8df91a615d3b44679e11777d0f52934bd63055be895b581df1b75d13f09aaf71
Instruction Fuzzy Hash: E3B11B75A10119AFDB14EFA4D888DAEBBB9FF48304B148069F909EB291DB30ED55CF50

Function 0028034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 002803C8
SetKeyboardState.USER32(?), ref: 00280433
GetAsyncKeyState.USER32(000000A0), ref: 00280453
GetKeyState.USER32(000000A0), ref: 0028046A
GetAsyncKeyState.USER32(000000A1), ref: 00280499
GetKeyState.USER32(000000A1), ref: 002804AA
GetAsyncKeyState.USER32(00000011), ref: 002804D6
GetKeyState.USER32(00000011), ref: 002804E4
GetAsyncKeyState.USER32(00000012), ref: 0028050D
GetKeyState.USER32(00000012), ref: 0028051B
GetAsyncKeyState.USER32(0000005B), ref: 00280544
GetKeyState.USER32(0000005B), ref: 00280552

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7b2824453aeb716dc79e98da3c5e6cdd63eb9cdf02ab1fcfdbc675ddd03e0522
Instruction ID: 20e3c8b836e067747a28c041e6fb5d4cfa270a83422a779b6468fc6b07aa06f3
Opcode Fuzzy Hash: 7b2824453aeb716dc79e98da3c5e6cdd63eb9cdf02ab1fcfdbc675ddd03e0522
Instruction Fuzzy Hash: 1B510B2892A7851AFB74FFB084907AEBFB49F01380F4885DD85C2561C3DA649B5CCB61

Function 0027C529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0027C545
GetWindowRect.USER32(00000000,?), ref: 0027C557
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0027C5B5
GetDlgItem.USER32(?,00000002), ref: 0027C5C0
GetWindowRect.USER32(00000000,?), ref: 0027C5D2
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0027C626
GetDlgItem.USER32(?,000003E9), ref: 0027C634
GetWindowRect.USER32(00000000,?), ref: 0027C645
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0027C688
GetDlgItem.USER32(?,000003EA), ref: 0027C696
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0027C6B3
InvalidateRect.USER32(?,00000000,00000001), ref: 0027C6C0

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: a1c097ec312420a0c1c72a92b4413872ab701c359ee2962865696127f1c6879d
Instruction ID: 9826f75bc5eb8b0c16ede8d5b38223530010fce6848744c8b1d7233a570fcc6c
Opcode Fuzzy Hash: a1c097ec312420a0c1c72a92b4413872ab701c359ee2962865696127f1c6879d
Instruction Fuzzy Hash: C1516571B10205AFDB18CFB9DD89A6EBBB9EB89710F14813DF519D7290DB749D008B50

Function 0022201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00221B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00222036,?,00000000,?,?,?,?,002216CB,00000000,?), ref: 00221B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002220D3
KillTimer.USER32(-00000001,?,?,?,?,002216CB,00000000,?,?,00221AE2,?,?), ref: 0022216E
DestroyAcceleratorTable.USER32(00000000), ref: 0025BE26
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002216CB,00000000,?,?,00221AE2,?,?), ref: 0025BE57
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002216CB,00000000,?,?,00221AE2,?,?), ref: 0025BE6E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002216CB,00000000,?,?,00221AE2,?,?), ref: 0025BE8A
DeleteObject.GDI32(00000000), ref: 0025BE9C

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 53fdc964131b230090bc2eb2be0199471b6907ee4a6141ecef263db42d3c7e48
Instruction ID: 2d9b9f18a351f7426d34b3e7ec70b7c191ed89e632ad5c726a47503035f04981
Opcode Fuzzy Hash: 53fdc964131b230090bc2eb2be0199471b6907ee4a6141ecef263db42d3c7e48
Instruction Fuzzy Hash: CD61BD30130A61FFCB26DF54EA89B25B7F1FB11306F544528EA424A960C776A9B8DF90

Function 002221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 002225DB: GetWindowLongW.USER32(?,000000EB), ref: 002225EC

GetSysColor.USER32(0000000F), ref: 002221D3

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 36c6270a26a593120fb2e6decd34f41a1e76df15bc69a9c7b86ab54757390473
Instruction ID: 756900af53076c3779cb2a79357a46a1721801b61b845d17d742c220cb73ab4d
Opcode Fuzzy Hash: 36c6270a26a593120fb2e6decd34f41a1e76df15bc69a9c7b86ab54757390473
Instruction Fuzzy Hash: B441AE31010161FFDB255FA8B888BB93B65EB06331F244365FD659A1E2CB738C66DB21

Function 0028A931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,002AF910), ref: 0028A995
GetDriveTypeW.KERNEL32(00000061,002D89A0,00000061), ref: 0028AA5F
_wcscpy.LIBCMT ref: 0028AA89

Strings

fixed, xrefs: 0028A9DD
all, xrefs: 0028A99B
removable, xrefs: 0028A9C7
cdrom, xrefs: 0028A9B1
unknown, xrefs: 0028AA20
ramdisk, xrefs: 0028AA09
network, xrefs: 0028A9F3

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 29a8a35d330a1d043047cbbd14b343974f48fc40a09997dcb66c4af3039c580f
Instruction ID: 41c24936c6e242e41f53a9ea64526f4e6cf1267ba8a5a0fb18331ccd65d738b5
Opcode Fuzzy Hash: 29a8a35d330a1d043047cbbd14b343974f48fc40a09997dcb66c4af3039c580f
Instruction Fuzzy Hash: D751CB34138301ABD318EF54D9D2AAAB7A5EF80704F10482AF596572E2DF709D69CB93

Function 00229997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 002299C2
__swprintf.LIBCMT ref: 00229A0C
__i64tow.LIBCMT ref: 0025F93F

Strings

%.15g, xrefs: 00229A06
0x%p, xrefs: 0025F921
True, xrefs: 0025F900
False, xrefs: 0025F907

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 6538d2da9890eccd1207a16309f216239c4a130d15e48db9caa1ce34a9ccabc4
Instruction ID: cf44483690096f2c6ddfa9d9246f33c76636020a7b032fdc62a2572c05ad40e8
Opcode Fuzzy Hash: 6538d2da9890eccd1207a16309f216239c4a130d15e48db9caa1ce34a9ccabc4
Instruction Fuzzy Hash: 5441F33153421ABADB28DF74D942A7673E8EF04310F20447EE949D6291EA719DA5CB10

Function 002A7184 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002A719C
CreateMenu.USER32 ref: 002A71B7
SetMenu.USER32(?,00000000), ref: 002A71C6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002A7253
IsMenu.USER32(?), ref: 002A7269
CreatePopupMenu.USER32 ref: 002A7273
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002A72A0
DrawMenuBar.USER32 ref: 002A72A8

Strings

0, xrefs: 002A7192
F, xrefs: 002A7294

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 86b494d867ce8af188346d98a717dced6e9883331251d1fe05f3b36311e07766
Instruction ID: 8bf52ca8f639a86c6f5b1d6639d76358059f697ddd13f75087f4856a1fe6c6c2
Opcode Fuzzy Hash: 86b494d867ce8af188346d98a717dced6e9883331251d1fe05f3b36311e07766
Instruction Fuzzy Hash: 11412975A11205EFDB20DFA4E988B9A77B5FB4A300F544129FD49A7350DB31A920CBA4

Function 002A74ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002A7590
CreateCompatibleDC.GDI32(00000000), ref: 002A7597
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002A75AA
SelectObject.GDI32(00000000,00000000), ref: 002A75B2
GetPixel.GDI32(00000000,00000000,00000000), ref: 002A75BD
DeleteDC.GDI32(00000000), ref: 002A75C6
GetWindowLongW.USER32(?,000000EC), ref: 002A75D0
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002A75E4
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002A75F0

Strings

static, xrefs: 002A7528

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: bd0cf002c17400f9aaa1cc40a6e761a5194e9e5c404fde7836f80ed3ab134ec1
Instruction ID: 1de4ea9bbb82f5316595c0313373199a4a54a3e419128cfa9264504815e538e7
Opcode Fuzzy Hash: bd0cf002c17400f9aaa1cc40a6e761a5194e9e5c404fde7836f80ed3ab134ec1
Instruction Fuzzy Hash: F7317E32514115BBDF129FA4ED48FDB3B69FF0A720F110225FA25A61A0CB35D821DF64

Function 00246F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00246FBB

Part of subcall function 00248CA8: __getptd_noexit.LIBCMT ref: 00248CA8

__gmtime64_s.LIBCMT ref: 00247054
__gmtime64_s.LIBCMT ref: 0024708A
__gmtime64_s.LIBCMT ref: 002470A7
__allrem.LIBCMT ref: 002470FD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00247119
__allrem.LIBCMT ref: 00247130
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0024714E
__allrem.LIBCMT ref: 00247165
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00247183
__invoke_watson.LIBCMT ref: 002471F4

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: 0f702629f35601cc9e591a1dfcee189a0fcd2a212f84aa272faf63545edb25d5
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: F7713D71A20717ABE718DF78CC41B5AB3A8AF11364F10413AF819D7681E770DE648BD0

Function 0028281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0028283A
GetMenuItemInfoW.USER32(002E5890,000000FF,00000000,00000030), ref: 0028289B
SetMenuItemInfoW.USER32(002E5890,00000004,00000000,00000030), ref: 002828D1
Sleep.KERNEL32(000001F4), ref: 002828E3
GetMenuItemCount.USER32(?), ref: 00282927
GetMenuItemID.USER32(?,00000000), ref: 00282943
GetMenuItemID.USER32(?,-00000001), ref: 0028296D
GetMenuItemID.USER32(?,?), ref: 002829B2
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002829F8
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00282A0C
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00282A2D

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: c1ec37322e4b110f0e83d40cfe0b23558e4ec8885f6de4a48c6f0e8124a166cc
Instruction ID: f2386b2cb0fa8b8699cb46174a8377f21483fcee4c79c57adc39cb435007159a
Opcode Fuzzy Hash: c1ec37322e4b110f0e83d40cfe0b23558e4ec8885f6de4a48c6f0e8124a166cc
Instruction Fuzzy Hash: 3161C47892124AEFDF25EFA4DD889AE7BB8EF05304F140059E841A7291D735AD29DB20

Function 002A6F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002A6FD7
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002A6FDA
GetWindowLongW.USER32(?,000000F0), ref: 002A6FFE
_memset.LIBCMT ref: 002A700F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002A7021
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002A7099

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 83bb6705b0372ec4b8652f2888b24460aeb276e442f986a73fa8e774e538e316
Instruction ID: a51f2038e36f58e8f99d980dce696f26a438981f9a988aeeec928709dbee029d
Opcode Fuzzy Hash: 83bb6705b0372ec4b8652f2888b24460aeb276e442f986a73fa8e774e538e316
Instruction Fuzzy Hash: 02617B74910258EFDB10CFA4CC85EEE77F8EB09704F14015AFA15AB2A1CB70AD65CB54

Function 00276EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00276F15
SafeArrayAllocData.OLEAUT32(?), ref: 00276F6E
VariantInit.OLEAUT32(?), ref: 00276F80
SafeArrayAccessData.OLEAUT32(?,?), ref: 00276FA0
VariantCopy.OLEAUT32(?,?), ref: 00276FF3
SafeArrayUnaccessData.OLEAUT32(?), ref: 00277007
VariantClear.OLEAUT32(?), ref: 0027701C
SafeArrayDestroyData.OLEAUT32(?), ref: 00277029
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00277032
VariantClear.OLEAUT32(?), ref: 00277044
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0027704F

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: b35337ac2857918407bfbddfd921ad7be2145d39da4e5c7356f1a2350ade50e2
Instruction ID: 7de9ee9dcbf6980f0faf232e9e0f82949a67b6f9dbcae6fe57ff60de6778e952
Opcode Fuzzy Hash: b35337ac2857918407bfbddfd921ad7be2145d39da4e5c7356f1a2350ade50e2
Instruction Fuzzy Hash: 61415435A14219AFCB10DFA4E848DAEBBB9FF48314F00C069FA59A7251CB74A955CF90

Function 002984D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00229997: __itow.LIBCMT ref: 002299C2
Part of subcall function 00229997: __swprintf.LIBCMT ref: 00229A0C

CoInitialize.OLE32 ref: 00298518
CoUninitialize.OLE32 ref: 00298523
CoCreateInstance.OLE32(?,00000000,00000017,002B2BEC,?), ref: 00298583
IIDFromString.OLE32(?,?), ref: 002985F6
VariantInit.OLEAUT32(?), ref: 00298690
VariantClear.OLEAUT32(?), ref: 002986F1

Strings

Failed to create object, xrefs: 0029858E, 00298644
Invalid parameter, xrefs: 0029860F
NULL Pointer assignment, xrefs: 002985C8

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: a662e7d444f276ad77bfe3dddfc15bec341033d23cdf9fd4b510addcc58e7005
Instruction ID: b11aa1cec531c867bef3e87af37a7bb22d648b1f4a6e63a572146fd415fde4dc
Opcode Fuzzy Hash: a662e7d444f276ad77bfe3dddfc15bec341033d23cdf9fd4b510addcc58e7005
Instruction Fuzzy Hash: 8161E170228311AFDB10DF64D848F5AB7E8AF4A714F09481DF9859B291DB70ED68CB92

Function 00295848 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002958A9
inet_addr.WSOCK32(?,?,?), ref: 002958EE
gethostbyname.WSOCK32(?), ref: 002958FA
IcmpCreateFile.IPHLPAPI ref: 00295908
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00295978
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0029598E
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00295A03
WSACleanup.WSOCK32 ref: 00295A09

Strings

Ping, xrefs: 0029592C

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: dc5105bcd21768111baa105ca55f6cf3bb01117bf9d4467ec4a7ddfe6b608cf5
Instruction ID: 034e16dcdd5ee626b8e64ab38afe4ae9779068935e46bf57f49370f523c432bc
Opcode Fuzzy Hash: dc5105bcd21768111baa105ca55f6cf3bb01117bf9d4467ec4a7ddfe6b608cf5
Instruction Fuzzy Hash: BA518031624721EFEB119F64DC49B2AB7E0EF45720F14852AF9999B2A0DB70EC50CF81

Function 0028B54F Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028B55C
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0028B5D2
GetLastError.KERNEL32 ref: 0028B5DC
SetErrorMode.KERNEL32(00000000,READY), ref: 0028B649

Strings

UNKNOWN, xrefs: 0028B601
READY, xrefs: 0028B622
INVALID, xrefs: 0028B61B
READONLY, xrefs: 0028B614
NOTREADY, xrefs: 0028B608

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8a466704a07d6f8faf2fc178ab9ce5b6432d072bd6e62b46a264f671f273ac9b
Instruction ID: a05c2dfa708102511ab69925db2a9891ab8256a7104e416030d69242c6a9f90e
Opcode Fuzzy Hash: 8a466704a07d6f8faf2fc178ab9ce5b6432d072bd6e62b46a264f671f273ac9b
Instruction Fuzzy Hash: 1C31B439A25215AFCB11FFA4D885EAD77B8EF05304F14402AF505D72D1DB709D62CB90

Function 00279251 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00227F41: _memmove.LIBCMT ref: 00227F82

Part of subcall function 0027AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0027AEC7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 002792D6
GetDlgCtrlID.USER32 ref: 002792E1
GetParent.USER32 ref: 002792FD
SendMessageW.USER32(00000000,?,00000111,?), ref: 00279300
GetDlgCtrlID.USER32(?), ref: 00279309
GetParent.USER32(?), ref: 00279325
SendMessageW.USER32(00000000,?,?,00000111), ref: 00279328

Strings

ListBox, xrefs: 00279293
ComboBox, xrefs: 0027925E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 8f9dac3d00dea51fbb63b8cf1ead1a46d419d025615439c6499866183bfd7a3d
Instruction ID: a1134c0caea5db54a8f4c405e3b8f913058f7d6b80a393bcd77678403ec0c9db
Opcode Fuzzy Hash: 8f9dac3d00dea51fbb63b8cf1ead1a46d419d025615439c6499866183bfd7a3d
Instruction Fuzzy Hash: EE21C470954204BBDF04ABA0DC89DFDBB68EF86310F104165B961972E1DB795865DF20

Function 0027933C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00227F41: _memmove.LIBCMT ref: 00227F82

Part of subcall function 0027AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0027AEC7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002793BF
GetDlgCtrlID.USER32 ref: 002793CA
GetParent.USER32 ref: 002793E6
SendMessageW.USER32(00000000,?,00000111,?), ref: 002793E9
GetDlgCtrlID.USER32(?), ref: 002793F2
GetParent.USER32(?), ref: 0027940E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00279411

Strings

ListBox, xrefs: 0027937E
ComboBox, xrefs: 00279349

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 706cb4be0c985f61a1802345bf449aaf0097fa971c7ae81de879ad18a5d01e64
Instruction ID: e79676ba31ece36f573e607118b8d25d8e0ed0c977274dbd5664a4151e8f66bb
Opcode Fuzzy Hash: 706cb4be0c985f61a1802345bf449aaf0097fa971c7ae81de879ad18a5d01e64
Instruction Fuzzy Hash: CE21F570A10204BBDF00AFA4DC99EFEBBB8EF45300F104066F921A72A5DB795865DF20

Function 00279425 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00279431
GetClassNameW.USER32(00000000,?,00000100), ref: 00279446
_wcscmp.LIBCMT ref: 00279458
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002794D3

Strings

largeicons, xrefs: 00279467
details, xrefs: 00279481
smallicons, xrefs: 0027949B
SHELLDLL_DefView, xrefs: 00279452
list, xrefs: 002794B5

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 966f2469772200a58ca2a67c568640a4a7435efd3b0fa32598be64928c5cd22b
Instruction ID: 5445c1ff07eb32020c85b2875dd220aa5e85389b552e7619c272d40760753185
Opcode Fuzzy Hash: 966f2469772200a58ca2a67c568640a4a7435efd3b0fa32598be64928c5cd22b
Instruction Fuzzy Hash: D411243727C3077AF6145624AC17DD6735C9B06720F208117F908D50E1FF755CB24954

Function 00287A39 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00287B15

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: a3c675b510610792d6f98059fb9f0b9818bd8a21e49bfc1be5dbdc49452f46f6
Instruction ID: 49e348ea0223d03351cbf490d51b9a4b3e6d709af68c3b8ba7f3f4b28b805cc9
Opcode Fuzzy Hash: a3c675b510610792d6f98059fb9f0b9818bd8a21e49bfc1be5dbdc49452f46f6
Instruction Fuzzy Hash: D9B1AF7992921A9FDB10EF94D884BBEB7B4FF08325F244429E600E7291D774E951CFA0

Function 002814FF Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00281521
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00280599,?,00000001), ref: 00281535
GetWindowThreadProcessId.USER32(00000000), ref: 0028153C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00280599,?,00000001), ref: 0028154B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0028155D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00280599,?,00000001), ref: 00281576
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00280599,?,00000001), ref: 00281588
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00280599,?,00000001), ref: 002815CD
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00280599,?,00000001), ref: 002815E2
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00280599,?,00000001), ref: 002815ED

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: e1720fb0580d79b803188563135378865e359d20893ac4f6a629051223254355
Instruction ID: 6806cb442816d65884d4d1d19de87c510f17138ee12094e84d66d86297e0044c
Opcode Fuzzy Hash: e1720fb0580d79b803188563135378865e359d20893ac4f6a629051223254355
Instruction Fuzzy Hash: 99310379911245BFDF60AF90FDCCB6937ADEBA5351F504015F802CA1E0DBB89D618B60

Function 00299228 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0029927C
VariantInit.OLEAUT32(?), ref: 0029934D
VariantInit.OLEAUT32(?), ref: 0029944E
VariantClear.OLEAUT32(?), ref: 00299458
VariantClear.OLEAUT32(?), ref: 002994B5

Strings

,,+, xrefs: 002992FA
Incorrect Object type in FOR..IN loop, xrefs: 00299431
Null Object assignment in FOR..IN loop, xrefs: 002992DD, 0029940B, 002994C3

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,+$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-4011182307
Opcode ID: 81924990bb145e8bb1f4719dd1b9e09b54a2369a7879facf69e6d37f73655dd2
Instruction ID: b33d3314f3e30614f9e69d26c60e24dc431c2244cec43933f8b34e99f1e23607
Opcode Fuzzy Hash: 81924990bb145e8bb1f4719dd1b9e09b54a2369a7879facf69e6d37f73655dd2
Instruction Fuzzy Hash: EB91A070E20219ABDF25DFA9C844FAEBBB8EF45720F10855DF505AB280D7709995CFA0

Function 0027A473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0027A844), ref: 0027A782

Strings

CLASSNN, xrefs: 0027A524
CLASS, xrefs: 0027A501
TEXT, xrefs: 0027A6B9
INSTANCE, xrefs: 0027A690
NAME, xrefs: 0027A5B4
REGEXPCLASS, xrefs: 0027A547

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: b940fd3f42dc30372ee02c35ee7cfe13f916bc6ba6327f73a6ef539e2e500776
Instruction ID: dbe7ef31a5876d4a70b099fe54e83fb32922c6970a0daa64670b49280666288d
Opcode Fuzzy Hash: b940fd3f42dc30372ee02c35ee7cfe13f916bc6ba6327f73a6ef539e2e500776
Instruction Fuzzy Hash: 5A91A071A24506AADB08DFA0C4D1BEDFB78BF44324F54C11AE85DA7281DB3069B9CF91

Function 00222E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00222EAE

Part of subcall function 00221DB3: GetClientRect.USER32(?,?), ref: 00221DDC
Part of subcall function 00221DB3: GetWindowRect.USER32(?,?), ref: 00221E1D
Part of subcall function 00221DB3: ScreenToClient.USER32(?,?), ref: 00221E45

GetDC.USER32 ref: 0025CEB2
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0025CEC5
SelectObject.GDI32(00000000,00000000), ref: 0025CED3
SelectObject.GDI32(00000000,00000000), ref: 0025CEE8
ReleaseDC.USER32(?,00000000), ref: 0025CEF0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0025CF7B

Strings

U, xrefs: 0025CE50

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: f77d09d2eab198f549adf1d066c72be1437af5ffa1898167a7bd4fc464c010ac
Instruction ID: 6b6b5655e0093373d995d6a6bee50b610c47fc06222fd37415060b3f194a2430
Opcode Fuzzy Hash: f77d09d2eab198f549adf1d066c72be1437af5ffa1898167a7bd4fc464c010ac
Instruction Fuzzy Hash: F071F530420306EFCF219FA4D884AAA7BB6FF09311F244266FD555A166E7319C68DF60

Function 00298D5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,002AF910), ref: 00298E3D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,002AF910), ref: 00298E71
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00298FEB
SysFreeString.OLEAUT32(?), ref: 00299015

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: f629ff3ad40d0c78f78f9db84e1d81e05b36e4af4dbe107e85c8b8beba92a0d2
Instruction ID: f298725739b3994218127d14e666dd581cd25e785763155753cdb93db1621b83
Opcode Fuzzy Hash: f629ff3ad40d0c78f78f9db84e1d81e05b36e4af4dbe107e85c8b8beba92a0d2
Instruction Fuzzy Hash: 5FF13A71A1010AEFCF14DF98C888EAEB7B9FF49314F148059F519AB250DB71AE95CB50

Function 0029F7A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0029F7C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0029F95C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0029F980
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0029F9C0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0029F9E2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0029FB5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0029FB90
CloseHandle.KERNEL32(?), ref: 0029FBBF
CloseHandle.KERNEL32(?), ref: 0029FC36

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 980e73c6d96fbdfe7b91bdd93704b59854caf3198abfaa438523ecc209e7c436
Instruction ID: c8a5d9f8f4363325e24b616b9965b10f2c2b103bc85f4eb1fe401b4d53287d69
Opcode Fuzzy Hash: 980e73c6d96fbdfe7b91bdd93704b59854caf3198abfaa438523ecc209e7c436
Instruction Fuzzy Hash: C5E1B131624301DFCB94EF24D595B6ABBE0AF89314F14846DF8898B2A2DB31DC64CF52

Function 00284D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002846AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002836DB,?), ref: 002846CC

Part of subcall function 002846AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002836DB,?), ref: 002846E5

Part of subcall function 00284AD8: GetFileAttributesW.KERNEL32(?,0028374F), ref: 00284AD9

lstrcmpiW.KERNEL32(?,?), ref: 00284DE7
_wcscmp.LIBCMT ref: 00284E01
MoveFileW.KERNEL32(?,?), ref: 00284E1C

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 263fb70d5a1ccccdc248703cd9853b5dc623f0ac7ae8e231b9bd901a3b54f7a6
Instruction ID: 520c0a7c1767e4a9749ca02d3d3e67db735c8acc92f0b44d87831e69ae3e3b83
Opcode Fuzzy Hash: 263fb70d5a1ccccdc248703cd9853b5dc623f0ac7ae8e231b9bd901a3b54f7a6
Instruction Fuzzy Hash: C35184B64183969BC724FB90D8819DFB3ECAF85300F40092EB685D3191EF74A69C8B56

Function 002A8677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002A8731

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: e8b89b6810b2a07de4051e45fdb6c4645a9bb5a657f4cb6c2fdfdc64b917dd6e
Instruction ID: af0f4de9d67a40ddac0553b8e00acd849e2c9e67574d388923bbf8188ee37da9
Opcode Fuzzy Hash: e8b89b6810b2a07de4051e45fdb6c4645a9bb5a657f4cb6c2fdfdc64b917dd6e
Instruction Fuzzy Hash: 5251C570520219FFEB249F65DC89B997B68EB07710F604126FA15D61E0CF75A9B0CB50

Function 00222B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0025C477
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0025C499
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0025C4B1
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0025C4CF
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0025C4F0
DestroyIcon.USER32(00000000), ref: 0025C4FF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0025C51C
DestroyIcon.USER32(?), ref: 0025C52B

Part of subcall function 002AA4E1: DeleteObject.GDI32(00000000), ref: 002AA51A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: f5d46cacfe827d468c14ff0b9f90a238ecd98383e383e234d86fe527dece4519
Instruction ID: 9d524966c91ce8b2e04414290c3bd5fed41aebd524038a1efb8793cead1e3f6e
Opcode Fuzzy Hash: f5d46cacfe827d468c14ff0b9f90a238ecd98383e383e234d86fe527dece4519
Instruction Fuzzy Hash: D2519D74620215FFDB20DFA4EC45FAA77B5EB18715F100128F902A7290EBB5EDA4DB50

Function 00279930 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0027AC37: GetWindowThreadProcessId.USER32(?,00000000), ref: 0027AC57
Part of subcall function 0027AC37: GetCurrentThreadId.KERNEL32 ref: 0027AC5E
Part of subcall function 0027AC37: AttachThreadInput.USER32(00000000,?,00279945,?,00000001), ref: 0027AC65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00279950
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0027996D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00279970
MapVirtualKeyW.USER32(00000025,00000000), ref: 00279979
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00279997
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0027999A
MapVirtualKeyW.USER32(00000025,00000000), ref: 002799A3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002799BA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002799BD

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 4c76821c5a937bb02573b9c7e3d514d44c3e805a23b4011d8cd2c9ba65d15a6c
Instruction ID: b36aa392d1bb9a293bc372cae48df7efa0067bf5f5bc4e8cede426d5cc756296
Opcode Fuzzy Hash: 4c76821c5a937bb02573b9c7e3d514d44c3e805a23b4011d8cd2c9ba65d15a6c
Instruction Fuzzy Hash: 7C11CE71560218FFF6106BA0EC8EF6A7A2DEB4D761F100429F658AB0A0CDF65C519EA4

Function 00278BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00278864,00000B00,?,?), ref: 00278BEC
HeapAlloc.KERNEL32(00000000,?,00278864,00000B00,?,?), ref: 00278BF3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00278864,00000B00,?,?), ref: 00278C08
GetCurrentProcess.KERNEL32(?,00000000,?,00278864,00000B00,?,?), ref: 00278C10
DuplicateHandle.KERNEL32(00000000,?,00278864,00000B00,?,?), ref: 00278C13
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00278864,00000B00,?,?), ref: 00278C23
GetCurrentProcess.KERNEL32(00278864,00000000,?,00278864,00000B00,?,?), ref: 00278C2B
DuplicateHandle.KERNEL32(00000000,?,00278864,00000B00,?,?), ref: 00278C2E
CreateThread.KERNEL32(00000000,00000000,00278C54,00000000,00000000,00000000), ref: 00278C48

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: bf79f140c7e040d80fc5878faaebe9facdde7593d01ba3257dfd8b599009fdbe
Instruction ID: 169882b0f6f856e8130f4ed84a354b740e1babffd261d7d4b702e6323f2841b7
Opcode Fuzzy Hash: bf79f140c7e040d80fc5878faaebe9facdde7593d01ba3257dfd8b599009fdbe
Instruction Fuzzy Hash: 1101BFB5240344FFE750ABA5ED4DF573BACEB89711F104421FA09DB191DA749800CB20

Function 00299872 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00277432: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0027736C,80070057,?,?,?,0027777D), ref: 0027744F
Part of subcall function 00277432: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0027736C,80070057,?,?), ref: 0027746A
Part of subcall function 00277432: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0027736C,80070057,?,?), ref: 00277478
Part of subcall function 00277432: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0027736C,80070057,?), ref: 00277488

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0029991B
_memset.LIBCMT ref: 00299928
_memset.LIBCMT ref: 00299A6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00299A97
CoTaskMemFree.OLE32(?), ref: 00299AA2

Strings

NULL Pointer assignment, xrefs: 00299AF0

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 69948f087fd3c7583eb9552b31c640671724655e7d4bb4f686e5de82b4b1c722
Instruction ID: d9765954eb5b7c827418f4d24b73e2b82645df545f3c6b70c8a068d8750e3689
Opcode Fuzzy Hash: 69948f087fd3c7583eb9552b31c640671724655e7d4bb4f686e5de82b4b1c722
Instruction Fuzzy Hash: 0C912771D10229EBDF10DFA5DC85ADEBBB8EF08710F20815AF419A7281DB719A54CFA0

Function 002A6DB2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002A6E56
SendMessageW.USER32(?,00001036,00000000,?), ref: 002A6E6A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002A6E84
_wcscat.LIBCMT ref: 002A6EDF
SendMessageW.USER32(?,00001057,00000000,?), ref: 002A6EF6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002A6F24

Strings

SysListView32, xrefs: 002A6E28

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: a0892e134141de49d7a156459193842cc6e1e3ca92d10e88053c2f14f0415506
Instruction ID: a241b4499325e72d57959c44b2b3a452a3d3ce75fee6ef9c99a82e7aea84629a
Opcode Fuzzy Hash: a0892e134141de49d7a156459193842cc6e1e3ca92d10e88053c2f14f0415506
Instruction Fuzzy Hash: F641B030A10309AFEB219FA4CC89FEAB7A8EF09750F14042AF545E7191DB729DA4CB50

Function 0029EA47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00283C99: CreateToolhelp32Snapshot.KERNEL32 ref: 00283CBE
Part of subcall function 00283C99: Process32FirstW.KERNEL32(00000000,?), ref: 00283CCC
Part of subcall function 00283C99: CloseHandle.KERNEL32(00000000), ref: 00283D96

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0029EAB8
GetLastError.KERNEL32 ref: 0029EACB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0029EAFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0029EB77
GetLastError.KERNEL32(00000000), ref: 0029EB82
CloseHandle.KERNEL32(00000000), ref: 0029EBB7

Strings

SeDebugPrivilege, xrefs: 0029EAD6

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b3d75f9ae5ed3ea251554f6e0900b4230e44f267ca797e4d78452f9345ec036c
Instruction ID: ce901907678af9e2380c20458db6a9f6dccc2a694b4b717742fa4062894bfc0c
Opcode Fuzzy Hash: b3d75f9ae5ed3ea251554f6e0900b4230e44f267ca797e4d78452f9345ec036c
Instruction Fuzzy Hash: 2741CD706202019FDF14EF54DCAAF6DB7A1BF44314F198458F8468B2D2CBB5A864CF86

Function 0028302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 002830CD

Strings

info, xrefs: 0028306E
blank, xrefs: 0028304F
warning, xrefs: 002830B6
question, xrefs: 00283086
stop, xrefs: 0028309E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f6e63c2e70c454a450a646b1dc1247a4c7cfe2310d0bfe050c331fbcc517467e
Instruction ID: 158acda2c9d2c017f81447fd997137284dd8d80cfe19b3b89f8facc584ecaac1
Opcode Fuzzy Hash: f6e63c2e70c454a450a646b1dc1247a4c7cfe2310d0bfe050c331fbcc517467e
Instruction Fuzzy Hash: FF11EB39629747BAE724FE55EC42C6A779C9F06B20F10002BF500962C2EFB55F6147A1

Function 00284339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00284353
LoadStringW.USER32(00000000), ref: 0028435A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00284370
LoadStringW.USER32(00000000), ref: 00284377
_wprintf.LIBCMT ref: 0028439D
MessageBoxW.USER32(00000000,?,?,00011010), ref: 002843BB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00284398

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 207e61eae57e85aa21addc254efad594ab3a53e6d364300df2e3f530d9dfa671
Instruction ID: e3e00a42c38e670525614408e57376a73b22fef58e13c1645450561739db5d01
Opcode Fuzzy Hash: 207e61eae57e85aa21addc254efad594ab3a53e6d364300df2e3f530d9dfa671
Instruction Fuzzy Hash: 1E0184F6900208BFE751ABD4AE8DEE6736CD709700F0005A1BB09D2051DA749E944B70

Function 002AD4A8 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

GetSystemMetrics.USER32(0000000F), ref: 002AD4E6
GetSystemMetrics.USER32(0000000F), ref: 002AD506
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 002AD741
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002AD75F
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002AD780
ShowWindow.USER32(00000003,00000000), ref: 002AD79F
InvalidateRect.USER32(?,00000000,00000001), ref: 002AD7C4
DefDlgProcW.USER32(?,00000005,?,?), ref: 002AD7E7

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: baf388782c1361620e8d2325f5be44beb7b4a26a283eeb2c18a2ef6cb3eb2508
Instruction ID: c6bca3e7baa32ef6b258f002a5503450e500d69ca06256742cdcb350da2dd3bd
Opcode Fuzzy Hash: baf388782c1361620e8d2325f5be44beb7b4a26a283eeb2c18a2ef6cb3eb2508
Instruction Fuzzy Hash: 8BB1AD75510226EFDF18CF68C9C97AD7BB1FF06700F088069EC5A9EA95DB34A960CB50

Function 00222A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0025C347,00000004,00000000,00000000,00000000), ref: 00222ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0025C347,00000004,00000000,00000000,00000000,000000FF), ref: 00222B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0025C347,00000004,00000000,00000000,00000000), ref: 0025C39A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0025C347,00000004,00000000,00000000,00000000), ref: 0025C406

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 562dfe6f8406e62852fe0da3c86797f599e51255b3d1d9f8daf3fa9e06a54179
Instruction ID: e6a6599ce7cff75f3b16950b171065ee871f3aed8ace3a663417c1b7905c7fcd
Opcode Fuzzy Hash: 562dfe6f8406e62852fe0da3c86797f599e51255b3d1d9f8daf3fa9e06a54179
Instruction Fuzzy Hash: 21412930234791FFC7758FA8BD8C76A7B95BB45304F24C829E48786960DAB698ADC710

Function 0028716F Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00287186

Part of subcall function 00240F36: std::exception::exception.LIBCMT ref: 00240F6C
Part of subcall function 00240F36: __CxxThrowException@8.LIBCMT ref: 00240F81

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002871BD
EnterCriticalSection.KERNEL32(?), ref: 002871D9
_memmove.LIBCMT ref: 00287227
_memmove.LIBCMT ref: 00287244
LeaveCriticalSection.KERNEL32(?), ref: 00287253
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00287268
InterlockedExchange.KERNEL32(?,000001F6), ref: 00287287

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: f503d9bcdeaba246a2d3d75652730ae57cf76c2fa5cc99b58d9113ecfbbf1682
Instruction ID: 5669a0b25739d5361d2108ad3ec2f7c1a7f8e8cc55a4a3bff0e0d6127094f70a
Opcode Fuzzy Hash: f503d9bcdeaba246a2d3d75652730ae57cf76c2fa5cc99b58d9113ecfbbf1682
Instruction Fuzzy Hash: A231BE31910205EBCB20EFA4DD89AAA7778FF45310B2541B5FD04AB256DB70DE64CBA0

Function 002A6205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002A621D
GetDC.USER32(00000000), ref: 002A6225
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002A6230
ReleaseDC.USER32(00000000,00000000), ref: 002A623C
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002A6278
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002A6289
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002A905C,?,?,000000FF,00000000,?,000000FF,?), ref: 002A62C3
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002A62E3

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6c5f1be93e832ea375fe36cb5cf2393763870581e8470d8a073f44c45a25d95c
Instruction ID: 23c2f4232dbbbbea80a69831dc78d8d3fe28ad5be603aca83c96b16e2ebb6cbe
Opcode Fuzzy Hash: 6c5f1be93e832ea375fe36cb5cf2393763870581e8470d8a073f44c45a25d95c
Instruction Fuzzy Hash: C3316D72251210BFEB118F60DD4AFEA3FADEF4A751F080065FE089A191CB799851CBA4

Function 0028EBAF Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00229997: __itow.LIBCMT ref: 002299C2
Part of subcall function 00229997: __swprintf.LIBCMT ref: 00229A0C

Part of subcall function 0023FE06: _wcscpy.LIBCMT ref: 0023FE29

_wcstok.LIBCMT ref: 0028ED20
_wcscpy.LIBCMT ref: 0028EDAF
_memset.LIBCMT ref: 0028EDE2

Strings

X, xrefs: 0028EE1F

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: d734d5142d20dafa6d2459cf253b6297bf1f28467094a1094083f30d3f7d3920
Instruction ID: f0d5600a7a08267ebfa9cda18f92e96477f30b612ea2d3fe84b36eee5e4a204a
Opcode Fuzzy Hash: d734d5142d20dafa6d2459cf253b6297bf1f28467094a1094083f30d3f7d3920
Instruction Fuzzy Hash: B8C1A135528311AFDB24EF64D881A5EB7E4BF85310F01492DF899972A2DB30EC65CF82

Function 00221424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac68fdc3dd23864d485e02bdd804f0983a34f7b66c84f3286a3a8212cbeeb3d
Instruction ID: 02e7cc4634a5fbf726a943588fec1258b21c9b6a0d44688e556641d2bb708b2d
Opcode Fuzzy Hash: bac68fdc3dd23864d485e02bdd804f0983a34f7b66c84f3286a3a8212cbeeb3d
Instruction Fuzzy Hash: 63716930910119FFCB05DF98D849EAEBB79FF95310F108159F915AA291C734AA61CFA4

Function 00296C8C Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67f78274f3b63c726e682cb7efd45b58cddb523a93785b10bdd6c181abfd104
Instruction ID: 92468ca3cbaef6f8bcfe279a5061e4d01127c8362543d70a166420c5698cb3a8
Opcode Fuzzy Hash: a67f78274f3b63c726e682cb7efd45b58cddb523a93785b10bdd6c181abfd104
Instruction Fuzzy Hash: D261CC31528311ABDB20EFA4DC8AF6FB3E8AF84714F004919F59597292DA70DD64CB92

Function 002AB385 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(011D52B8), ref: 002AB41F
IsWindowEnabled.USER32(011D52B8), ref: 002AB42B
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 002AB50F
SendMessageW.USER32(011D52B8,000000B0,?,?), ref: 002AB546
IsDlgButtonChecked.USER32(?,?), ref: 002AB583
GetWindowLongW.USER32(011D52B8,000000EC), ref: 002AB5A5
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002AB5BD

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 6e122269e09131f59aa922b68afc8eabce35ac28a05d90b27551f48c8b88aeb3
Instruction ID: 04cb543475e0053cde1e1c654213ffdba347343fbf6161dda685d8ff35de99e1
Opcode Fuzzy Hash: 6e122269e09131f59aa922b68afc8eabce35ac28a05d90b27551f48c8b88aeb3
Instruction Fuzzy Hash: 38719134660605EFDB229F65D8A8FAABBA9FF0E300F544059E95597263CB31AC60CF50

Function 0029F532 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0029F55C
_memset.LIBCMT ref: 0029F625
ShellExecuteExW.SHELL32(?), ref: 0029F66A

Part of subcall function 00229997: __itow.LIBCMT ref: 002299C2
Part of subcall function 00229997: __swprintf.LIBCMT ref: 00229A0C

Part of subcall function 0023FE06: _wcscpy.LIBCMT ref: 0023FE29

GetProcessId.KERNEL32(00000000), ref: 0029F6E1
CloseHandle.KERNEL32(00000000), ref: 0029F710

Strings

@, xrefs: 0029F639

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: f2a4cc4fa0e413f4dc6507ce597c83c0e88a9fa6de8d4ec8a276166382e501e0
Instruction ID: 3006a998ce209c85c80d9a83f3fa28a5caab975662fb3e121d587aace550eba6
Opcode Fuzzy Hash: f2a4cc4fa0e413f4dc6507ce597c83c0e88a9fa6de8d4ec8a276166382e501e0
Instruction Fuzzy Hash: E361AF75A106299FCF54DF94D5819ADBBF4FF48310F148469E856AB361CB30ADA0CF90

Function 0028127E Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 002812BD
GetKeyboardState.USER32(?), ref: 002812D2
SetKeyboardState.USER32(?), ref: 00281333
PostMessageW.USER32(?,00000101,00000010,?), ref: 00281361
PostMessageW.USER32(?,00000101,00000011,?), ref: 00281380
PostMessageW.USER32(?,00000101,00000012,?), ref: 002813C6
PostMessageW.USER32(?,00000101,0000005B,?), ref: 002813E9

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 661df2079bbbb681ab7085665afe60721c24e5d0d65f5e84b2a31749bb5183dd
Instruction ID: a3298d5a86ad99633d39247b2ebdb2b3455a3b473d909bcae38410780529b23d
Opcode Fuzzy Hash: 661df2079bbbb681ab7085665afe60721c24e5d0d65f5e84b2a31749bb5183dd
Instruction Fuzzy Hash: 1E51E5A4A257D23EFB366A348C45BBA7EAD5F06304F0885C9E0D5858C3C6D8ACF6D750

Function 00281097 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 002810D6
GetKeyboardState.USER32(?), ref: 002810EB
SetKeyboardState.USER32(?), ref: 0028114C
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00281178
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00281195
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002811D9
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002811FA

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 330ff6311d99f3d8d59cdf406526843bd429dfc1aa0c4e93488952d409d30dc3
Instruction ID: 8c9426a1e132e84fb09b8adcdc2e2b05cd13b6aaf963141f0a955b0106e4f1c9
Opcode Fuzzy Hash: 330ff6311d99f3d8d59cdf406526843bd429dfc1aa0c4e93488952d409d30dc3
Instruction Fuzzy Hash: 665169A45267D33DFB32AB208C49F767FAD5B02300F088589E5D9468C2C294ECBAE750

Function 002856A4 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 002856B1
_wcsncpy.LIBCMT ref: 002856E6
_wcsncpy.LIBCMT ref: 00285718
_wcsncpy.LIBCMT ref: 0028574B
_wcsncpy.LIBCMT ref: 0028578D
_wcsncpy.LIBCMT ref: 002857C7
_wcsncpy.LIBCMT ref: 002857F6

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: ebcb1c22f4f04af97c2dd2de4a732a82603b25ed53bcb71a0cb1cf3064a55c81
Instruction ID: a641a9b74ac8369d3d14fa1aace57e1e80ba79dacb82cb429db254465ea1c7d1
Opcode Fuzzy Hash: ebcb1c22f4f04af97c2dd2de4a732a82603b25ed53bcb71a0cb1cf3064a55c81
Instruction Fuzzy Hash: B241C2A9C31A24B5CB15FBB49C46ACFB7BCAF05310F508466F908E3161E634A764CBE5

Function 0027D87B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0027D8E3
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0027D919
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0027D92A
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0027D9AC

Strings

,,+, xrefs: 0027D887
DllGetClassObject, xrefs: 0027D91F

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,+$DllGetClassObject
API String ID: 753597075-2070356415
Opcode ID: 3b18a4bfcac211cec4849657e2478fa98e8fd86ccba6bc0ec911aeddcf1548fd
Instruction ID: 3965aafd1d0d23e71e6bb2a638bbd43d1ef19ebb5020ef10a0161e0e44305db6
Opcode Fuzzy Hash: 3b18a4bfcac211cec4849657e2478fa98e8fd86ccba6bc0ec911aeddcf1548fd
Instruction Fuzzy Hash: 6C41BF71620205EFDB04DF55C8C4A9ABBB9EF86314F11C0A9EE099F206DBB4DD50CBA0

Function 002836B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002846AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002836DB,?), ref: 002846CC

Part of subcall function 002846AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002836DB,?), ref: 002846E5

lstrcmpiW.KERNEL32(?,?), ref: 002836FB
_wcscmp.LIBCMT ref: 00283717
MoveFileW.KERNEL32(?,?), ref: 0028372F
_wcscat.LIBCMT ref: 00283777
SHFileOperationW.SHELL32(?), ref: 002837E3

Strings

\*.*, xrefs: 00283771

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: c08074cf8c0cfb5d53f43d79f89cca8601f26d0b0679467ad87a08e505be47eb
Instruction ID: 4377c5117366522681d1d977fe7949f7c450721b9fe05fe70a1ee531d9118e01
Opcode Fuzzy Hash: c08074cf8c0cfb5d53f43d79f89cca8601f26d0b0679467ad87a08e505be47eb
Instruction Fuzzy Hash: 3F41EDB6019385AAC755FF60D441ADBB7ECEF88740F40082EB08AC3191EA34D3A8CB52

Function 002A72C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002A72DC
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002A7383
IsMenu.USER32(?), ref: 002A739B
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002A73E3
DrawMenuBar.USER32 ref: 002A73F6

Strings

0, xrefs: 002A72D0

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 2c0cc075e120e491298b3b59321a7a6baaf998fa1a870cceba8284a2867b13dc
Instruction ID: d26a9b9ac67d124c93e470113bd5fe8a36d119d336f8ede4ab70c5c547a94896
Opcode Fuzzy Hash: 2c0cc075e120e491298b3b59321a7a6baaf998fa1a870cceba8284a2867b13dc
Instruction Fuzzy Hash: 44414C75A14209EFDB20DF50E884E9ABBF8FB0A314F048069ED1697260DB34AD65DF94

Function 002A102D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 002A105C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002A1086
FreeLibrary.KERNEL32(00000000), ref: 002A113D

Part of subcall function 002A102D: RegCloseKey.ADVAPI32(?), ref: 002A10A3
Part of subcall function 002A102D: FreeLibrary.KERNEL32(?), ref: 002A10F5
Part of subcall function 002A102D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 002A1118

RegDeleteKeyW.ADVAPI32(?,?), ref: 002A10E0

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 7fda941d09bdf1a01eeae370937b0e9ce0ac58a6cdef8f8a4d8e8804d7139f4b
Instruction ID: 04707b44e2993b335523393e99e5d39ec934fb1b97b63b4cb4870b2b3e8fc746
Opcode Fuzzy Hash: 7fda941d09bdf1a01eeae370937b0e9ce0ac58a6cdef8f8a4d8e8804d7139f4b
Instruction Fuzzy Hash: C0314DB1921109BFDB148FD0ED89EFFB7BCEF0A350F000169E905A2141DE749E999AA0

Function 002A62FF Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002A631E
GetWindowLongW.USER32(011D52B8,000000F0), ref: 002A6351
GetWindowLongW.USER32(011D52B8,000000F0), ref: 002A6386
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002A63B8
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002A63E2
GetWindowLongW.USER32(00000000,000000F0), ref: 002A63F3
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002A640D

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8b3e7fdc47757bab45ccd7dbbb41350899323d876dabcf2b98295d66875e893c
Instruction ID: d553406b69adbb4a775347c379729ab66d38e3a65d36f298144ecd87a3ed844a
Opcode Fuzzy Hash: 8b3e7fdc47757bab45ccd7dbbb41350899323d876dabcf2b98295d66875e893c
Instruction Fuzzy Hash: C0311135664251AFDB20CF58EC88F5537E5FB4AB14F1801A4FA148F2B2CB62AC91DB51

Function 00296289 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00297EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00297ECB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002962DC
WSAGetLastError.WSOCK32(00000000), ref: 002962EB
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00296324
connect.WSOCK32(00000000,?,00000010), ref: 0029632D
WSAGetLastError.WSOCK32 ref: 00296337
closesocket.WSOCK32(00000000), ref: 00296360
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00296379

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 5d5db747e83e0c3768a2cd97c40f2573b9d889432b04e2271f7fd4c69ef2458a
Instruction ID: c07400d016bee42c54a1ef864f535d84d3db277d983759e0085257ea9ec65bd2
Opcode Fuzzy Hash: 5d5db747e83e0c3768a2cd97c40f2573b9d889432b04e2271f7fd4c69ef2458a
Instruction Fuzzy Hash: 4E31F631620218AFDF109FA0DD89BBE77E9EF45720F004069FD0597290DB78AC548FA1

Function 0027F98F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0027F9A2
__wcsnicmp.LIBCMT ref: 0027F9C3
__wcsnicmp.LIBCMT ref: 0027F9DD

Strings

#notrayicon, xrefs: 0027F99A
#OnAutoItStartRegister, xrefs: 0027F9D7
#requireadmin, xrefs: 0027F9BD

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: cde57221c1195d675a4bde0394fa2778cfcdd5a24b3c3c5137f40f38a76d5958
Instruction ID: 9ae4ceb7d55874e178c1dfa6b1285794a27b6df68ca44b4c202a333940de717e
Opcode Fuzzy Hash: cde57221c1195d675a4bde0394fa2778cfcdd5a24b3c3c5137f40f38a76d5958
Instruction Fuzzy Hash: 9121373213C612B6D364EE259D02FB773989F62320F508035F98E86191EBB09DB6C695

Function 002A75FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00221D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00221D73
Part of subcall function 00221D35: GetStockObject.GDI32(00000011), ref: 00221D87
Part of subcall function 00221D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00221D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002A7664
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002A7671
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002A767C
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002A768B
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002A7697

Strings

Msctls_Progress32, xrefs: 002A7635

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a4dd6a7f6dc5b7b5cc3e37435d45ad2681280a3174a0987247918d14980df465
Instruction ID: ee0d74b6c513813759c6289864bedcb09adb5398f0ec5b694835025af624e722
Opcode Fuzzy Hash: a4dd6a7f6dc5b7b5cc3e37435d45ad2681280a3174a0987247918d14980df465
Instruction Fuzzy Hash: 3A11E2B212021ABFEF118FA4DC85EE77F6DEF09758F014115BA04A6090CA72AC31DBA4

Function 002AB669 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002AB678
_memset.LIBCMT ref: 002AB687
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002E6F20,002E6F64), ref: 002AB6B6
CloseHandle.KERNEL32 ref: 002AB6C8

Strings

do., xrefs: 002AB681
o., xrefs: 002AB672

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: o.$do.
API String ID: 3277943733-2344610618
Opcode ID: 082066e7a76a4053cf3ed0fdb0cfaed3858de6a7cb1950075439a6ec4d60daff
Instruction ID: c2b081d4c942feabdb43117b15cd8d9502fa40eed870498a382763c31d3fcc63
Opcode Fuzzy Hash: 082066e7a76a4053cf3ed0fdb0cfaed3858de6a7cb1950075439a6ec4d60daff
Instruction Fuzzy Hash: 9CF089B1590344BFE71027617C4DF7B3A5CEB15794F404020BA09D9992DB755C148BE8

Function 00244109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,002441D2,?), ref: 00244123
GetProcAddress.KERNEL32(00000000), ref: 0024412A
EncodePointer.KERNEL32(00000000), ref: 00244136
DecodePointer.KERNEL32(00000001,002441D2,?), ref: 00244153

Strings

combase.dll, xrefs: 0024411E
RoInitialize, xrefs: 00244112

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 9e3d7af4df8c8b582e32e2a6f243a363ce7d7ac1973123c7b3b1e63cb5cb65d0
Instruction ID: 0264767dee69effa140ba5769eb3fb5388c11391f7f21fad69e43f0e0a029098
Opcode Fuzzy Hash: 9e3d7af4df8c8b582e32e2a6f243a363ce7d7ac1973123c7b3b1e63cb5cb65d0
Instruction Fuzzy Hash: B3E0ED706A0381AFEF50AFB0FD4DB543594A757747F904468B409DE0A0DAB941549A00

Function 002441DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002440F8), ref: 002441F8
GetProcAddress.KERNEL32(00000000), ref: 002441FF
EncodePointer.KERNEL32(00000000), ref: 0024420A
DecodePointer.KERNEL32(002440F8), ref: 00244225

Strings

RoUninitialize, xrefs: 002441E7
combase.dll, xrefs: 002441F3

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 1413b1333f7ce81de503d3b0db8795ed3e9335fb34dc7ea80420fc155944c468
Instruction ID: 5c8bdf7ef23c4bbc30c76cc5b3f317483efb82c9a5055f25b0baa4fc143fae37
Opcode Fuzzy Hash: 1413b1333f7ce81de503d3b0db8795ed3e9335fb34dc7ea80420fc155944c468
Instruction Fuzzy Hash: B4E092706A1341EBEB90EFA2FE4DB453AA4B706783F1044A8F515EA0A0CFFA46149A10

Function 00286561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002866B4
_memmove.LIBCMT ref: 002865EF

Part of subcall function 00229997: __itow.LIBCMT ref: 002299C2
Part of subcall function 00229997: __swprintf.LIBCMT ref: 00229A0C

_memmove.LIBCMT ref: 00286662
_memmove.LIBCMT ref: 00286749
_memmove.LIBCMT ref: 00286762
_memmove.LIBCMT ref: 0028677E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 55016113ab1fbb1911c622d322bd21517cfa51792b1fffc6c684ec480bef6ffe
Instruction ID: 9ae6af1713f0e655eb5e69140740d684e6b70d8dc0414a0d27ee607f1c8e6ce4
Opcode Fuzzy Hash: 55016113ab1fbb1911c622d322bd21517cfa51792b1fffc6c684ec480bef6ffe
Instruction Fuzzy Hash: E661DC3452126AAFDF15FF60C886EFE77A8AF04308F044428F9551B1D2EB34A8A5CF90

Function 002A026F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00227F41: _memmove.LIBCMT ref: 00227F82

Part of subcall function 002A0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029FE38,?,?), ref: 002A0EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A0348
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002A0388
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002A03AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002A03D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 002A0417
RegCloseKey.ADVAPI32(00000000), ref: 002A0424

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 59a20833c65ddb9c069bd4fc6c699aa1ef8adc516a47ff8223db9a6a44e0b837
Instruction ID: 70e1184f6bec42944c1f5463de18c650b3afbc4652e6f73c6d0b35adc6663786
Opcode Fuzzy Hash: 59a20833c65ddb9c069bd4fc6c699aa1ef8adc516a47ff8223db9a6a44e0b837
Instruction Fuzzy Hash: 27513931128201AFDB14EF94D885E6EBBE8FF89314F04491DF585872A1DB71E924CF52

Function 002A5802 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 002A5864
GetMenuItemCount.USER32(00000000), ref: 002A589B
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002A58C3
GetMenuItemID.USER32(?,?), ref: 002A5932
GetSubMenu.USER32(?,?), ref: 002A5940
PostMessageW.USER32(?,00000111,?,00000000), ref: 002A5991

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 98c6e6757e52e2d0fc44be1a60b469fb24efce73c4d03587319c7eb40fdb3906
Instruction ID: 2ee720c85c54b34c7519928803dfc757897330c77d443c6d7152eb677137f143
Opcode Fuzzy Hash: 98c6e6757e52e2d0fc44be1a60b469fb24efce73c4d03587319c7eb40fdb3906
Instruction Fuzzy Hash: 4351AC31A10A26EFCF14EFA4C845AAFB7B4EF49320F104069E905BB351CB74AE518F90

Function 0027F1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0027F218
VariantClear.OLEAUT32(00000013), ref: 0027F28A
VariantClear.OLEAUT32(00000000), ref: 0027F2E5
_memmove.LIBCMT ref: 0027F30F
VariantClear.OLEAUT32(?), ref: 0027F35C
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0027F38A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 85e20a332882e9f2c3ccd7b6dd4c08ac759199519d11dafb6e9f1c379474c170
Instruction ID: c3272ea389ab5909b769e1fbfcdd21f56fd4c7dadce1ec2d70d164dd5e0fe193
Opcode Fuzzy Hash: 85e20a332882e9f2c3ccd7b6dd4c08ac759199519d11dafb6e9f1c379474c170
Instruction Fuzzy Hash: 975169B5A10209EFDB14CF68C884AAAB7B8FF4C314B158569EE59DB301D730E911CFA0

Function 00282502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00282550
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0028259B
IsMenu.USER32(00000000), ref: 002825BB
CreatePopupMenu.USER32 ref: 002825EF
GetMenuItemCount.USER32(000000FF), ref: 0028264D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 0028267E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 7724d241987d0eed300915ce9b7c87613f8d2e3613e93c7265575c00dbf9ec8d
Instruction ID: 54a2b3098bc4b93bbcad55edd36e718f32dfdfb4c7716e47f1ca16c462767230
Opcode Fuzzy Hash: 7724d241987d0eed300915ce9b7c87613f8d2e3613e93c7265575c00dbf9ec8d
Instruction Fuzzy Hash: DA51C374A12216DFCF24EF68D988AADBBF8FF05314F144159E811A72D0EB709968CB51

Function 00221765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0022179A
GetWindowRect.USER32(?,?), ref: 002217FE
ScreenToClient.USER32(?,?), ref: 0022181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0022182C
EndPaint.USER32(?,?), ref: 00221876

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 697ed134a42354a3c78679244197a370bc8dd8110180b277370c9d351421862c
Instruction ID: 6a0cca80dfbaf970e4d5df96ed200c933372e93765f96b312f885b363e084081
Opcode Fuzzy Hash: 697ed134a42354a3c78679244197a370bc8dd8110180b277370c9d351421862c
Instruction Fuzzy Hash: E041D130120661AFD711DF64ECC8F767BE8FB56724F040269FAA48A1A1C7709865CB62

Function 002AB6D2 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(002E57B0,00000000,011D52B8,?,?,002E57B0,?,002AB5DC,?,?), ref: 002AB746
EnableWindow.USER32(00000000,00000000), ref: 002AB76A
ShowWindow.USER32(002E57B0,00000000,011D52B8,?,?,002E57B0,?,002AB5DC,?,?), ref: 002AB7CA
ShowWindow.USER32(00000000,00000004,?,002AB5DC,?,?), ref: 002AB7DC
EnableWindow.USER32(00000000,00000001), ref: 002AB800
SendMessageW.USER32(?,0000130C,?,00000000), ref: 002AB823

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8c02bf25ac2c83d45791764a73838ee87cbc6353be2a6e1b817dbd2f6d051c19
Instruction ID: 960435317d579ae4362ffae6f8f757a44f4915cc663870934eaa2cb06312f9f5
Opcode Fuzzy Hash: 8c02bf25ac2c83d45791764a73838ee87cbc6353be2a6e1b817dbd2f6d051c19
Instruction Fuzzy Hash: FC41B535610141EFDB23CF28C889BA0BBE4FF46300F1841B9E9488F2A3CB75A895CB50

Function 002971B3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00294F57,?,?,00000000,00000001), ref: 002971C1

Part of subcall function 00293AB6: GetWindowRect.USER32(?,?), ref: 00293AC9

GetDesktopWindow.USER32 ref: 002971EB
GetWindowRect.USER32(00000000), ref: 002971F2
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00297224

Part of subcall function 002852EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00285363

GetCursorPos.USER32(?), ref: 00297250
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002972AE

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: f930bda80f383cabc1de835e27de1e6de8ec15ab804f3c22ade69aaf0a4495ad
Instruction ID: 0377a083ee5be49dee81252af2867efd112dfc3882d2020e5f49f1f07baed113
Opcode Fuzzy Hash: f930bda80f383cabc1de835e27de1e6de8ec15ab804f3c22ade69aaf0a4495ad
Instruction Fuzzy Hash: E1310672529306AFC720DF54D849B9BB7E9FF89304F000929F98997191CB34E918CB92

Function 00278B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002783D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002783E8
Part of subcall function 002783D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002783F2
Part of subcall function 002783D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00278401
Part of subcall function 002783D1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00278408
Part of subcall function 002783D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0027841E

GetLengthSid.ADVAPI32(?,00000000,00278757), ref: 00278B8C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00278B98
HeapAlloc.KERNEL32(00000000), ref: 00278B9F
CopySid.ADVAPI32(00000000,00000000,?), ref: 00278BB8
GetProcessHeap.KERNEL32(00000000,00000000,00278757), ref: 00278BCC
HeapFree.KERNEL32(00000000), ref: 00278BD3

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: e63421040ca890154f3b2f78ffae4db836d76b59c5cdb3614056a3d694bf3e01
Instruction ID: 769e20fd154f18cbdfb7a0da1580552b1290e479e40f848cbabeefbd7e8055aa
Opcode Fuzzy Hash: e63421040ca890154f3b2f78ffae4db836d76b59c5cdb3614056a3d694bf3e01
Instruction Fuzzy Hash: 7D11EEB1661206FFDB508FA4DC0DFAE7BA9EB46319F108028E849D3210DB369A11CB60

Function 002788D9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0027890A
OpenProcessToken.ADVAPI32(00000000), ref: 00278911
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00278920
CloseHandle.KERNEL32(00000004), ref: 0027892B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0027895A
DestroyEnvironmentBlock.USERENV(00000000), ref: 0027896E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bd65318bedb046a392f7e464627c9da48c8885b30cd8f642d46822821cd9c7c0
Instruction ID: a14aa0b99ba61c15b889e23890e13936dbe82cf3055f1a64c11c23c426765910
Opcode Fuzzy Hash: bd65318bedb046a392f7e464627c9da48c8885b30cd8f642d46822821cd9c7c0
Instruction Fuzzy Hash: EF115C7254024EEBDF018FA4ED4DBEA7BA9EF0A308F044064FE04A2160CB758D60DB61

Function 0027BA52 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0027BA77
GetDeviceCaps.GDI32(00000000,00000058), ref: 0027BA88
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0027BA8F
ReleaseDC.USER32(00000000,00000000), ref: 0027BA97
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0027BAAE
MulDiv.KERNEL32(000009EC,?,?), ref: 0027BAC0

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 56ba1ce6d9850721900a8dc773846ec6bc55bd3894e98eb7e556bfcbf99aef97
Instruction ID: 0c6a47f471860333bfa7e7f5f5b26bc02b510e8b6fe4f6a130ce212e98a9317c
Opcode Fuzzy Hash: 56ba1ce6d9850721900a8dc773846ec6bc55bd3894e98eb7e556bfcbf99aef97
Instruction Fuzzy Hash: 32017175E00319BBEB109BE59D49A5EBFB8EB49711F004065FA08A7291DA359910CF90

Function 002402E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00240313
MapVirtualKeyW.USER32(00000010,00000000), ref: 0024031B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00240326
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00240331
MapVirtualKeyW.USER32(00000011,00000000), ref: 00240339
MapVirtualKeyW.USER32(00000012,00000000), ref: 00240341

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3448ea43650c14ee627b6924aaba1868e30041157131772cb18e62501c6f9f0d
Instruction ID: a3ec5f03091ed4a5c5c30b0b4720d1b25519f379ab2c1ba95de9e19088de3701
Opcode Fuzzy Hash: 3448ea43650c14ee627b6924aaba1868e30041157131772cb18e62501c6f9f0d
Instruction Fuzzy Hash: 8D016CB09017597DE3008F5A8C85B52FFA8FF19754F00411BA15C47941C7F5A864CFE5

Function 00285490 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002854A0
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002854B6
GetWindowThreadProcessId.USER32(?,?), ref: 002854C5
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002854D4
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002854DE
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002854E5

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6023ea1356b43582d314992b76e7b071ad7f3e8528f8c7005089d1c3a0520ff7
Instruction ID: e6e6a4c285971b9895110d00fbd0029906b61563a5699e92aaa2389d74b5a3f5
Opcode Fuzzy Hash: 6023ea1356b43582d314992b76e7b071ad7f3e8528f8c7005089d1c3a0520ff7
Instruction Fuzzy Hash: 74F01D32241158BBE7715BE2ED0DEAB7A7CEBCBB11F000169FA14D10909AA91A0186B5

Function 002872D9 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 002872EC
EnterCriticalSection.KERNEL32(?,?,00231044,?,?), ref: 002872FD
TerminateThread.KERNEL32(00000000,000001F6,?,00231044,?,?), ref: 0028730A
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00231044,?,?), ref: 00287317

Part of subcall function 00286CDE: CloseHandle.KERNEL32(00000000,?,00287324,?,00231044,?,?), ref: 00286CE8

InterlockedExchange.KERNEL32(?,000001F6), ref: 0028732A
LeaveCriticalSection.KERNEL32(?,?,00231044,?,?), ref: 00287331

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: b859d2c3617705a7e03f748e3d3b7784fcb8fe0dc74c28dc68fe0b9df1377368
Instruction ID: 121f5d56c224482ed6fe8ff55da258c51cafa23e1a829168ef87f506d219638c
Opcode Fuzzy Hash: b859d2c3617705a7e03f748e3d3b7784fcb8fe0dc74c28dc68fe0b9df1377368
Instruction Fuzzy Hash: 9CF0893A141712EBD7A12FA4FE8CADB7739FF46302B140531F902910A0CF795811CB50

Function 00278C54 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00278C5F
UnloadUserProfile.USERENV(?,?), ref: 00278C6B
CloseHandle.KERNEL32(?), ref: 00278C74
CloseHandle.KERNEL32(?), ref: 00278C7C
GetProcessHeap.KERNEL32(00000000,?), ref: 00278C85
HeapFree.KERNEL32(00000000), ref: 00278C8C

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 21c6f92b3dc9cf5cd186ab64d0dbebc86cf2395a7ba424d49dbcdf2e45fc2580
Instruction ID: 34e8515ff98b671708850325f9feca248b8d5f0146d2269e19d72bdc30dd85d0
Opcode Fuzzy Hash: 21c6f92b3dc9cf5cd186ab64d0dbebc86cf2395a7ba424d49dbcdf2e45fc2580
Instruction Fuzzy Hash: 50E05276104505FFDB811FE5FE0C95ABB69FB8A762B508631F21981470CF3A9461DB50

Function 00277858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002B2C7C,?), ref: 00277A12
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002B2C7C,?), ref: 00277A2A
CLSIDFromProgID.OLE32(?,?,00000000,002AFB80,000000FF,?,00000000,00000800,00000000,?,002B2C7C,?), ref: 00277A4F
_memcmp.LIBCMT ref: 00277A70

Strings

,,+, xrefs: 00277865

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,+
API String ID: 314563124-1536947320
Opcode ID: afe9dd4b0573b97b76b6c9721de85a7fddc055781ab764cab9e26cb62afd3d9a
Instruction ID: 298b3dc27a42a3eab8ad0e08142c8ab3e3da377675c2279156e79728a423372b
Opcode Fuzzy Hash: afe9dd4b0573b97b76b6c9721de85a7fddc055781ab764cab9e26cb62afd3d9a
Instruction Fuzzy Hash: 19813D71A1010AEFCB04DFD4C988EEEB7B9FF89315F208598E515AB250DB71AE15CB60

Function 00298702 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00298728
CharUpperBuffW.USER32(?,?), ref: 00298837
VariantClear.OLEAUT32(?), ref: 002989AF

Part of subcall function 0028760B: VariantInit.OLEAUT32(00000000), ref: 0028764B
Part of subcall function 0028760B: VariantCopy.OLEAUT32(00000000,?), ref: 00287654
Part of subcall function 0028760B: VariantClear.OLEAUT32(00000000), ref: 00287660

Strings

AUTOIT.ERROR, xrefs: 0029883D
Incorrect Parameter format, xrefs: 00298760, 00298922

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: c8616bb4cdad3c6dcb19180c759ff6ed15d70b0d2dc2696610a715e3a7778675
Instruction ID: 9f3a4a6e2b2fe12545c53643c80f32e2cdc222f11817c3bb35125ae4166fe18e
Opcode Fuzzy Hash: c8616bb4cdad3c6dcb19180c759ff6ed15d70b0d2dc2696610a715e3a7778675
Instruction Fuzzy Hash: AE919F75628301DFCB10DF64C48096ABBE4EF89314F18896EF88A8B361DB31E955CF52

Function 00282D8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0023FE06: _wcscpy.LIBCMT ref: 0023FE29

_memset.LIBCMT ref: 00282E7F
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00282EAE
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00282F61
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00282F8F

Strings

0, xrefs: 00282E6B

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: f640c960c99bba43f13df046037207797970aeade7c4ff4a7a69127eeb481c6c
Instruction ID: be9f30e0720af9a7bdfb59fd5371b3a0f4ffadd324f34750f24c92904f6b601e
Opcode Fuzzy Hash: f640c960c99bba43f13df046037207797970aeade7c4ff4a7a69127eeb481c6c
Instruction Fuzzy Hash: 3151DF7553A312DED724EF28D84466BB7E4EFA5310F040A2DFA84D25E0DB70D968CB92

Function 00282A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00282AB8
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00282AD4
DeleteMenu.USER32(?,00000007,00000000), ref: 00282B1A
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002E5890,00000000), ref: 00282B63

Strings

0, xrefs: 00282AAD

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: c1fa6384a2707abba3578077958ba55e524c7a0e7033f2ef44a0c025de6ea2fe
Instruction ID: 75b8559376c9ac33e31479127f8c5628c9829ce903cea7dfb163cb7c42159370
Opcode Fuzzy Hash: c1fa6384a2707abba3578077958ba55e524c7a0e7033f2ef44a0c025de6ea2fe
Instruction Fuzzy Hash: 8B41D234216302DFD720EF24D885B2ABBE8AF85324F10461DF865972D1D770E928CB62

Function 0029D8B9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0029D8D9

Part of subcall function 002279AB: _memmove.LIBCMT ref: 002279F9

Strings

stdcall, xrefs: 0029D95B
none, xrefs: 0029D9B4
winapi, xrefs: 0029D94A
cdecl, xrefs: 0029D930

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 395e2724454cebb348f7009274b3bf951cb53400698b826c4293363c9590d34b
Instruction ID: 9a834310893bc39b5e916e5e3176315798f39158fb56e7f37e9dc3e7eb327116
Opcode Fuzzy Hash: 395e2724454cebb348f7009274b3bf951cb53400698b826c4293363c9590d34b
Instruction Fuzzy Hash: 0331B270524616ABDF00EF94C8D19EEB3B4FF05710B108A6AE865973D1DB71AD65CF80

Function 00279152 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00227F41: _memmove.LIBCMT ref: 00227F82

Part of subcall function 0027AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0027AEC7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002791D6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002791E9
SendMessageW.USER32(?,00000189,?,00000000), ref: 00279219

Part of subcall function 00227D2C: _memmove.LIBCMT ref: 00227D66

Strings

ListBox, xrefs: 00279195
ComboBox, xrefs: 00279160

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: bef7f8cd5aad56a486cd8f7225bf56f213432a5deb23ce4866f567651dc44642
Instruction ID: d09fdbf791b448af13043c4be4f0528f264bcceaafe784fc033416f5a413ff04
Opcode Fuzzy Hash: bef7f8cd5aad56a486cd8f7225bf56f213432a5deb23ce4866f567651dc44642
Instruction Fuzzy Hash: 3921F8719242047FDB14ABB4DC8ACFEB778DF46360B148129F829972E1DF790D699A10

Function 00291943 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00291962
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00291988
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002919B8
InternetCloseHandle.WININET(00000000), ref: 002919FF

Part of subcall function 00292599: GetLastError.KERNEL32(?,?,0029192D,00000000,00000000,00000001), ref: 002925AE
Part of subcall function 00292599: SetEvent.KERNEL32(?,?,0029192D,00000000,00000000,00000001), ref: 002925C3

Strings

, xrefs: 002919A9

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 0cec69604eb53fbd88c42d75b2346e5490014e5609fca53b8e1e9ac48ef0d601
Instruction ID: 35faca627524677dd3c299fe313683322f1eb79bc8591a5251e318a46ef27bcf
Opcode Fuzzy Hash: 0cec69604eb53fbd88c42d75b2346e5490014e5609fca53b8e1e9ac48ef0d601
Instruction Fuzzy Hash: C421D4B162020ABFEF11DFA5DD95EBF77ACEB49744F10012AF40592200EF649E259BA1

Function 002A6419 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00221D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00221D73
Part of subcall function 00221D35: GetStockObject.GDI32(00000011), ref: 00221D87
Part of subcall function 00221D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00221D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002A6493
LoadLibraryW.KERNEL32(?), ref: 002A649A
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002A64AF
DestroyWindow.USER32(?), ref: 002A64B7

Strings

SysAnimate32, xrefs: 002A646E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: fd2b19b2bd481c0a0d6035a3818a809290f4568c8cb92f103889376c0b323cad
Instruction ID: fc3c47c868329705e798bb634069127a753119544946621a374f724aeb329232
Opcode Fuzzy Hash: fd2b19b2bd481c0a0d6035a3818a809290f4568c8cb92f103889376c0b323cad
Instruction Fuzzy Hash: 0B21D771120606AFEF204F64EC88EBB77ADEF5E764F188615FA1096190CB71CC619760

Function 00286E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00286E65
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00286E98
GetStdHandle.KERNEL32(0000000C), ref: 00286EAA
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00286EE4

Strings

nul, xrefs: 00286EDF

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 612ebfbe63170773701852c9f679291081e4cb4d37e0c3de7957867f415f44d7
Instruction ID: 5299c5ae759a5089c6493ab14c0df82147c155e762c0a3c32292b8ac2831aaf5
Opcode Fuzzy Hash: 612ebfbe63170773701852c9f679291081e4cb4d37e0c3de7957867f415f44d7
Instruction Fuzzy Hash: 3C21627D621206ABDB20AF69DC4DE9A77F4AF55720F204629FDA0D72D0DB7098608B50

Function 00286F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00286F32
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00286F64
GetStdHandle.KERNEL32(000000F6), ref: 00286F75
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00286FAF

Strings

nul, xrefs: 00286FAA

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 77e14b6d1f42eff6b2d92cad05bcb923c517d4d5ea93ed9e6a1fcf79609e9346
Instruction ID: 3e18c9c4f095def6a962973e102073e3a73af36fe1f89146a4d335a3d083db3f
Opcode Fuzzy Hash: 77e14b6d1f42eff6b2d92cad05bcb923c517d4d5ea93ed9e6a1fcf79609e9346
Instruction Fuzzy Hash: 7E21D6796113069BDB20AF68AC0CB9977E8FF55320F204659FEA2D3AD0DB70D8618B50

Function 0028ACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028ACDE
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0028AD32
__swprintf.LIBCMT ref: 0028AD4B
SetErrorMode.KERNEL32(00000000,00000001,00000000,002AF910), ref: 0028AD89

Strings

%lu, xrefs: 0028AD45

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 5b2f8775599e3dec63d0bd426933396e8f9731f27a7d82d9ed64e670502221a9
Instruction ID: c11067a665e896f51ebd327dc8ce1214f93a2fe17f016faea58b546c0c078358
Opcode Fuzzy Hash: 5b2f8775599e3dec63d0bd426933396e8f9731f27a7d82d9ed64e670502221a9
Instruction Fuzzy Hash: 6F218334A10209AFCB10EFA4DD85EAE77B8EF49704B104069F509DB252DF71EA55CF61

Function 0027A30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00227D2C: _memmove.LIBCMT ref: 00227D66

Part of subcall function 0027A15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0027A179
Part of subcall function 0027A15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0027A18C
Part of subcall function 0027A15C: GetCurrentThreadId.KERNEL32 ref: 0027A193
Part of subcall function 0027A15C: AttachThreadInput.USER32(00000000), ref: 0027A19A

GetFocus.USER32 ref: 0027A334

Part of subcall function 0027A1A5: GetParent.USER32(?), ref: 0027A1B3

GetClassNameW.USER32(?,?,00000100), ref: 0027A37D
EnumChildWindows.USER32(?,0027A3F5), ref: 0027A3A5
__swprintf.LIBCMT ref: 0027A3BF

Strings

%s%d, xrefs: 0027A3B9

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 0a0c0941591c52e12df2b522262c5cef551d1d34d9c05cd0bc82225bf25bc7f1
Instruction ID: 44e7fe5cb2174815c47174deb233d2926c9512d5bdae5525dd301b910f415e35
Opcode Fuzzy Hash: 0a0c0941591c52e12df2b522262c5cef551d1d34d9c05cd0bc82225bf25bc7f1
Instruction Fuzzy Hash: 7D11A2716242197BDF11BFA0EC85FEE777CAF85710F0080B5B91CAA142CA7459658F71

Function 0029EC69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0029ED1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0029ED4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0029EE7E
CloseHandle.KERNEL32(?), ref: 0029EEFF

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 086b94f91c5d92917a1331f914c907c08af8c820a7e37958a24d1abb9800a37d
Instruction ID: f230047803395d71acbce96848eef48380b0638e5f851c6f52e54970d420b874
Opcode Fuzzy Hash: 086b94f91c5d92917a1331f914c907c08af8c820a7e37958a24d1abb9800a37d
Instruction Fuzzy Hash: 96817571620311AFDB20DF64D846F2AB7E5AF48720F15881DF599D7292DBB0EC508F51

Function 002A00C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00227F41: _memmove.LIBCMT ref: 00227F82

Part of subcall function 002A0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029FE38,?,?), ref: 002A0EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A0188
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002A01C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002A020E
RegCloseKey.ADVAPI32(?,?), ref: 002A023A
RegCloseKey.ADVAPI32(00000000), ref: 002A0247

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 7b936200c745beaac49cb29c0d3d94b144ce839fb816ba53de7aeebbf2192fbc
Instruction ID: 764b0b9e06f41eccb2142994419012342c3d9bde39ea921bc1eba0f025279f02
Opcode Fuzzy Hash: 7b936200c745beaac49cb29c0d3d94b144ce839fb816ba53de7aeebbf2192fbc
Instruction Fuzzy Hash: 29514971228205AFD704EFA4D885F6AB7E8FF89304F04892DB59987291DB71E924CF52

Function 0029D9DC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00229997: __itow.LIBCMT ref: 002299C2
Part of subcall function 00229997: __swprintf.LIBCMT ref: 00229A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0029DA3B
GetProcAddress.KERNEL32(00000000,?), ref: 0029DABE
GetProcAddress.KERNEL32(00000000,00000000), ref: 0029DADA
GetProcAddress.KERNEL32(00000000,?), ref: 0029DB1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0029DB35

Part of subcall function 00225B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,0028793F,?,?,00000000), ref: 00225B8C
Part of subcall function 00225B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,0028793F,?,?,00000000,?,?), ref: 00225BB0

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 3e06e7f46cfbbc1ee68fc7ca83347c27fc07c70b6d0a377a2d2c76aa362edefd
Instruction ID: 299f4c33aeeea633fd9b6853d162f734f9deb655bfa4f2165bd73ef8d98ea837
Opcode Fuzzy Hash: 3e06e7f46cfbbc1ee68fc7ca83347c27fc07c70b6d0a377a2d2c76aa362edefd
Instruction Fuzzy Hash: 2C514735A14216EFDB00EFA8D4959ADB7F4FF19324B04C069E819AB311DB30AD65CF90

Function 0028E5FD Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0028E6AB
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0028E6D4
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0028E713

Part of subcall function 00229997: __itow.LIBCMT ref: 002299C2
Part of subcall function 00229997: __swprintf.LIBCMT ref: 00229A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0028E738
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0028E740

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 1361b25ba15d6924892ba8618ed1f5c87744c8417c036ab75bff472c2c222af0
Instruction ID: ab6dd9b181a5c72aa558c56f7b47e98dc4ffa456cd332daab2408c5ba7b209e4
Opcode Fuzzy Hash: 1361b25ba15d6924892ba8618ed1f5c87744c8417c036ab75bff472c2c222af0
Instruction Fuzzy Hash: F0513B35A10215EFDF10EFA4D985AADBBF5EF08310B148099E849AB361CB31ED61CF50

Function 002AA088 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878abe3f387512fff934aa1ab3b2c05dae866626f0367d6df25b16f1117062d4
Instruction ID: 347522505b99da9a4fa6d1452b7a3b1e6eefd027bae1f62d4e83e199f2289c8a
Opcode Fuzzy Hash: 878abe3f387512fff934aa1ab3b2c05dae866626f0367d6df25b16f1117062d4
Instruction Fuzzy Hash: F2411835920255BFC720DF68DC49FA9BBA4EF0B310F150165F81AA72E1CF709D61DA61

Function 00222344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00222357
ScreenToClient.USER32(002E57B0,?), ref: 00222374
GetAsyncKeyState.USER32(00000001), ref: 00222399
GetAsyncKeyState.USER32(00000002), ref: 002223A7

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 35978ce0c355fcc6a71a3262d390f19fa9fce260f0d9a829237f811a581f002d
Instruction ID: 66eda924deda5ba41194208974d6cb4f1717dffd064bbfb543c57875f26df50d
Opcode Fuzzy Hash: 35978ce0c355fcc6a71a3262d390f19fa9fce260f0d9a829237f811a581f002d
Instruction Fuzzy Hash: A541B635918116FFCF15DFA4D844AEDBB74FB05320F204366F82892291DB756968DF90

Function 00276700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0027673D
TranslateAcceleratorW.USER32(?,?,?), ref: 00276789
TranslateMessage.USER32(?), ref: 002767B2
DispatchMessageW.USER32(?), ref: 002767BC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002767CB

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: d1024aae19ddcccb638a0f820e1ad6e3a979a7d488e34097019067a38b2fb29d
Instruction ID: edda1927430c8c8a47087999d6ba80dcb25e7401492f97cf1770baaf309739d4
Opcode Fuzzy Hash: d1024aae19ddcccb638a0f820e1ad6e3a979a7d488e34097019067a38b2fb29d
Instruction Fuzzy Hash: 4431C530960A579FDB248FB0AC8CFB6BBACEB05748F148125E429C61A1E7749869DB50

Function 00278CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00278CF2
PostMessageW.USER32(?,00000201,00000001), ref: 00278D9C
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00278DA4
PostMessageW.USER32(?,00000202,00000000), ref: 00278DB2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00278DBA

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f646dc35f491bd1153252cd6bfcf1e0c9e94496e75a412d0523d10068c4f72d9
Instruction ID: a96a7ef111622f84285d4e14c5d8a2d34cfefef9062fa0cc9bc5f0e3cf409753
Opcode Fuzzy Hash: f646dc35f491bd1153252cd6bfcf1e0c9e94496e75a412d0523d10068c4f72d9
Instruction Fuzzy Hash: 2631C07150021AEFDF24CFB8E94DA9E3BB5EB15315F108229F929E61D0CBB49924DB90

Function 0027B4AE Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0027B4C6
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0027B4E3
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0027B51B
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0027B541
_wcsstr.LIBCMT ref: 0027B54B

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 00f65310bee3474812fd42c7a9c114e4b3bf25407b6e4fc5ebe3dba09538264f
Instruction ID: 0b3e29921f97d34101f8258ec13a00bdfa0ce1727923a4c5742e4fe58f9bb5c4
Opcode Fuzzy Hash: 00f65310bee3474812fd42c7a9c114e4b3bf25407b6e4fc5ebe3dba09538264f
Instruction Fuzzy Hash: 1B21DA32624101BBEB269F799C49F7B7B9CDF45760F008039F909DA161EFB5DC6096A0

Function 002AB17F Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

GetWindowLongW.USER32(?,000000F0), ref: 002AB1C6
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 002AB1EB
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002AB203
GetSystemMetrics.USER32(00000004), ref: 002AB22C
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00290FA5,00000000), ref: 002AB24A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 40846f242bd66179e7f294fec7292f522af0034341d76214148d37e1633eda96
Instruction ID: aa38165ba96e0499f4ebf6caec2f31ad874c53ab35f013cb85138ff30929d60f
Opcode Fuzzy Hash: 40846f242bd66179e7f294fec7292f522af0034341d76214148d37e1633eda96
Instruction Fuzzy Hash: 43218031930666AFCB219F789C08B6A37A4EB06725F104739FD26D61E1EB309864DB90

Function 002795C9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002795E2

Part of subcall function 00227D2C: _memmove.LIBCMT ref: 00227D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00279614
__itow.LIBCMT ref: 0027962C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00279654
__itow.LIBCMT ref: 00279665

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 1df73f06d30fe47eae5f184ad85a6a7715f2d7624bd743d0ae5437165fbba3e6
Instruction ID: 1e1399766499c31c2cca1b96004cf5d1de071b9bfa1034084cba2b96d362780a
Opcode Fuzzy Hash: 1df73f06d30fe47eae5f184ad85a6a7715f2d7624bd743d0ae5437165fbba3e6
Instruction Fuzzy Hash: 8C21DA317203157FDB149FA49C8AEEE7BACDF59720F044129FD08D7251DA708DA58B91

Function 002212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0022134D
SelectObject.GDI32(?,00000000), ref: 0022135C
BeginPath.GDI32(?), ref: 00221373
SelectObject.GDI32(?,00000000), ref: 0022139C

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8e152ffc9ca663776cbcc4b5cfbc7552e234f545cc3b68e85902de4c71cc67cf
Instruction ID: 79d7c966460434164697f4d5ebd25ecde47e5a60dfcf9645ab9df3bb81a1cd1d
Opcode Fuzzy Hash: 8e152ffc9ca663776cbcc4b5cfbc7552e234f545cc3b68e85902de4c71cc67cf
Instruction Fuzzy Hash: B321AE30820669EBDB10CFA4FC8CB697BE9FB10325F144266F8009A0B0D7B588B1CF80

Function 00284B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00284B61
__beginthreadex.LIBCMT ref: 00284B7F
MessageBoxW.USER32(?,?,?,?), ref: 00284B94
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00284BAA
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00284BB1

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 9c9f58a9c2ab5daa1dc6cf4977a91d95d6533585a7d28b34d4b806291372b8ad
Instruction ID: db8672411f3c3b9a5991863f02ad830eaebe2b9a79168b924867100257e8b4f9
Opcode Fuzzy Hash: 9c9f58a9c2ab5daa1dc6cf4977a91d95d6533585a7d28b34d4b806291372b8ad
Instruction Fuzzy Hash: AF114876915655BBCB40AFB8AC48A9A7FACAB45328F140265FD14D3290C675CD108BA0

Function 0027852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00278546
GetLastError.KERNEL32(?,0027800A,?,?,?), ref: 00278550
GetProcessHeap.KERNEL32(00000008,?,?,0027800A,?,?,?), ref: 0027855F
HeapAlloc.KERNEL32(00000000,?,0027800A,?,?,?), ref: 00278566
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0027857D

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 67290a9b033574f7a50665a543f049ce2d90181829a3097ac87d90629a341874
Instruction ID: 757377bd3e9cec9102663814b8d6d19cbe383e0dc06d9fffee625a736ef4242c
Opcode Fuzzy Hash: 67290a9b033574f7a50665a543f049ce2d90181829a3097ac87d90629a341874
Instruction Fuzzy Hash: 820146B1250205EFDB214FA6ED4DD6B7BACEF8A755B54456AF909C2220DE328D10CA60

Function 002852EB Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00285307
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00285315
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 0028531D
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00285327
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00285363

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 0969109957f141c3320528ec4082379308dcab0e409c7275d486e7c388fb679c
Instruction ID: 9c74929bae2525af8891bf4cf425da9167c341af8059b594790fba3035c1b40f
Opcode Fuzzy Hash: 0969109957f141c3320528ec4082379308dcab0e409c7275d486e7c388fb679c
Instruction Fuzzy Hash: 12016D35C22A2DDBCF00AFE4E98CAEDBBB8FB09301F050499E945F2180CF7455659BA1

Function 00277432 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0027736C,80070057,?,?,?,0027777D), ref: 0027744F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0027736C,80070057,?,?), ref: 0027746A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0027736C,80070057,?,?), ref: 00277478
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0027736C,80070057,?), ref: 00277488
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0027736C,80070057,?,?), ref: 00277494

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c0531d629636e3e6ce8781a04e0f0ca7838f0ea276fca2d2b4b16d33bcf68fd4
Instruction ID: ac76eed5bbbf5a042ebc2b8cecdb87fc5444b8d82f97fbdedc7f432e5775d851
Opcode Fuzzy Hash: c0531d629636e3e6ce8781a04e0f0ca7838f0ea276fca2d2b4b16d33bcf68fd4
Instruction Fuzzy Hash: 5801B176610305BFDB104F64ED08AAA7FBCEB45752F108064F908D2220DB75DD109BA0

Function 002783D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002783E8
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002783F2
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00278401
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00278408
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0027841E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a10b6e6417f096d7e903a890d52eda0190988f3522bd984f586b381cbe59528e
Instruction ID: ed085676c5832db562c9aa0bd9f5bf5e17ec9983d28cc68094d067dcebb52bf9
Opcode Fuzzy Hash: a10b6e6417f096d7e903a890d52eda0190988f3522bd984f586b381cbe59528e
Instruction Fuzzy Hash: F6F0CD30254206EFEB601FA4EC9CE6B3BACEF8A755B004029F909C2150CFB49C51DA61

Function 00278432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00278449
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00278453
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00278462
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00278469
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0027847F

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d7abefb8054c0c37de24869b21f7cd549d0e8dec1b286c7dab2af5f599138470
Instruction ID: c8ecedd1f01bb4110d1427aa8064b1b359a361cfb7d3881cf0d33913f2341ef4
Opcode Fuzzy Hash: d7abefb8054c0c37de24869b21f7cd549d0e8dec1b286c7dab2af5f599138470
Instruction Fuzzy Hash: F4F0A930250306AFEBA11FA4EC9DE6B3BACEF8A765B044029F909C3150CFB49810DA60

Function 0027C4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0027C4B9
GetWindowTextW.USER32(00000000,?,00000100), ref: 0027C4D0
MessageBeep.USER32(00000000), ref: 0027C4E8
KillTimer.USER32(?,0000040A), ref: 0027C504
EndDialog.USER32(?,00000001), ref: 0027C51E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: a005529eefc44b1c5fc664c71c93bdef0c334ee5e385e73d81a2d0ad93e8c211
Instruction ID: 357e476e03795798563c935115efa0d15f8e5ad03ce099181091351a4f3fa43e
Opcode Fuzzy Hash: a005529eefc44b1c5fc664c71c93bdef0c334ee5e385e73d81a2d0ad93e8c211
Instruction Fuzzy Hash: C201A230410304ABEB205F70ED4EBA677BCFF01B05F04466DE596A14E1DBF569688A80

Function 002213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002213BF
StrokeAndFillPath.GDI32(?,?,0025BA08,00000000,?), ref: 002213DB
SelectObject.GDI32(?,00000000), ref: 002213EE
DeleteObject.GDI32 ref: 00221401
StrokePath.GDI32(?), ref: 0022141C

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 130b6bafe142b2bc0c609a1db07f25e292482d203b7e455640efca303e29e027
Instruction ID: 06c57f9528fba006d346c289de8d8c6651d414cc0cef3383e547b55cc8c9f5fe
Opcode Fuzzy Hash: 130b6bafe142b2bc0c609a1db07f25e292482d203b7e455640efca303e29e027
Instruction Fuzzy Hash: B8F01930060B59EBDB559FA6FD8CB583BE5AB1132AF088224E469880F1CB7549A5DF10

Function 00232E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00240F36: std::exception::exception.LIBCMT ref: 00240F6C
Part of subcall function 00240F36: __CxxThrowException@8.LIBCMT ref: 00240F81

Part of subcall function 00227F41: _memmove.LIBCMT ref: 00227F82

Part of subcall function 00227BB1: _memmove.LIBCMT ref: 00227C0B

__swprintf.LIBCMT ref: 0023302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00232EC6

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 119306c83695454d5c7d79b3212c82c5e851d3de43966df9c5b360ebc5794cd5
Instruction ID: f942905f977f0203bfd1b375fdb95d72fef05b600a68af14300657f0832351aa
Opcode Fuzzy Hash: 119306c83695454d5c7d79b3212c82c5e851d3de43966df9c5b360ebc5794cd5
Instruction Fuzzy Hash: ED916D71128312AFC718EF64D895C6EB7A4EF95710F00491DF8869B2A1DB70EE64CF92

Function 0028B9C7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 002248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002248A1,?,?,002237C0,?), ref: 002248CE

CoInitialize.OLE32(00000000), ref: 0028BA47
CoCreateInstance.OLE32(002B2D6C,00000000,00000001,002B2BDC,?), ref: 0028BA60
CoUninitialize.OLE32 ref: 0028BA7D

Part of subcall function 00229997: __itow.LIBCMT ref: 002299C2
Part of subcall function 00229997: __swprintf.LIBCMT ref: 00229A0C

Strings

.lnk, xrefs: 0028BA29, 0028BA37

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 2234ec1f0dc90173195b269b06e904e8ba062836f06a68b8814b9d9b33d641fa
Instruction ID: c182ec338b97554fd1c76bf29769ecef2a317c58979d1c368d3bddfb50ae7c33
Opcode Fuzzy Hash: 2234ec1f0dc90173195b269b06e904e8ba062836f06a68b8814b9d9b33d641fa
Instruction Fuzzy Hash: 19A14478614311AFCB10EF54C484D2ABBE5BF89314F14898DF8999B3A1CB31EC55CB91

Function 0027B5B5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0027B780

Strings

AutoIt3GUI, xrefs: 0027B6F8
%+, xrefs: 0027B823
Container, xrefs: 0027B6FD

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%+
API String ID: 3565006973-1591554326
Opcode ID: 0991281d32c9bd0219f938f4e00b2aa43f50d998cd97669dba61b1cfe118bfe0
Instruction ID: ed0087f2a8c5ba81c569ce3d8e21518eb4f9ac081719d402bdecde7adba036bc
Opcode Fuzzy Hash: 0991281d32c9bd0219f938f4e00b2aa43f50d998cd97669dba61b1cfe118bfe0
Instruction Fuzzy Hash: 2F914A71620202AFDB15DF68C884B6ABBF8FF49710F14856EF949CB691DBB0E851CB50

Function 0024518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0024521D

Part of subcall function 00250270: __87except.LIBCMT ref: 002502AB

Strings

pow, xrefs: 002451F5, 00245212

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 93ba080180f48910c58cc149073facd6720ae04a35375e59219fa3c5d4dc07a3
Instruction ID: 2f460347cba38889e38e9880f47c8bf6193d7fa0559b58430f46b2d39676b699
Opcode Fuzzy Hash: 93ba080180f48910c58cc149073facd6720ae04a35375e59219fa3c5d4dc07a3
Instruction Fuzzy Hash: 3D517B20A3C603A7DB15AF14DD8537E2B949B40711F20499AECD5861E7EBB48CFC9A4A

Function 0024017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 002401B7
#, xrefs: 002401C0

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 1e1c4e0d7106305e1e7ccd0ccf0cb2a105d16def8a069cbf749315a1e48a693a
Instruction ID: ff152d4459fdadf8cb9aaac1e01f205d5450071bd5674f433c6d3fff98e56146
Opcode Fuzzy Hash: 1e1c4e0d7106305e1e7ccd0ccf0cb2a105d16def8a069cbf749315a1e48a693a
Instruction Fuzzy Hash: 64515535124667DFCF18DF68C485AFAB7A0EF1A314F148055EC959B2D0C7B4ACA2CB60

Function 00233297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002333D7
_memmove.LIBCMT ref: 00233470
_free.LIBCMT ref: 00233496
_memmove.LIBCMT ref: 00233549

Strings

Oa#, xrefs: 00233482

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa#
API String ID: 2620147621-1510357115
Opcode ID: 5a892ce687ae68b9ee0e0f1dd72a1aec89b6b8841d09c0017ca5e43673a87b13
Instruction ID: fadf9d5b55e2a30490c37b266663952cbb7cff1f2802223f87114350bc5be90f
Opcode Fuzzy Hash: 5a892ce687ae68b9ee0e0f1dd72a1aec89b6b8841d09c0017ca5e43673a87b13
Instruction Fuzzy Hash: EE515EB1A283419FD724CF28C481B2ABBE5BF89314F45492DE989C7351DB31DA55CF42

Function 002362F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002363A8
_memmove.LIBCMT ref: 00236444
_memset.LIBCMT ref: 00236468

Strings

ERCP, xrefs: 00236313

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: ee9b2da1588acc2f7747275ba114b394b7ebe749789e067f2828cfc94b990237
Instruction ID: 041fcd0634b98f6b3480783cb96740844f7a60dc9ec11ff185c3974960671554
Opcode Fuzzy Hash: ee9b2da1588acc2f7747275ba114b394b7ebe749789e067f2828cfc94b990237
Instruction Fuzzy Hash: 2E5184B1920306EBDB24DF55C9857AAB7F8EF04714F20C56EE94ACB241E771E9A4CB40

Function 00279AB7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002817ED: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00279558,?,?,00000034,00000800,?,00000034), ref: 00281817

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00279B01

Part of subcall function 002817B8: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00279587,?,?,00000800,?,00001073,00000000,?,?), ref: 002817E2

Part of subcall function 0028170F: GetWindowThreadProcessId.USER32(?,?), ref: 0028173A
Part of subcall function 0028170F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0027951C,00000034,?,?,00001004,00000000,00000000), ref: 0028174A
Part of subcall function 0028170F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0027951C,00000034,?,?,00001004,00000000,00000000), ref: 00281760

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00279B6E
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00279BBB

Strings

@, xrefs: 00279BD3

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 62203a766af85825539d8c560707698934d7679cefa71367377e21657140b11d
Instruction ID: 2fdce4cb6325e28f2683a0c81881b30b87a7418acc9ae85658a75bd505b40b75
Opcode Fuzzy Hash: 62203a766af85825539d8c560707698934d7679cefa71367377e21657140b11d
Instruction Fuzzy Hash: 58416F76911218BFDB10EFA4CC85ADEB7B8EB09700F008099F955B7190CB706E95CFA0

Function 002A7978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002AF910,00000000,?,?,?,?), ref: 002A7A11
GetWindowLongW.USER32 ref: 002A7A2E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002A7A3E

Strings

SysTreeView32, xrefs: 002A79E3

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: da1fe8e28e6daf267957395cd0d0b8110f089fcbe58e198e5add980bacbdbe8b
Instruction ID: 33e6e4546392dad73f6ceea35e542950b96d759673fd88ae150bb8060d91007b
Opcode Fuzzy Hash: da1fe8e28e6daf267957395cd0d0b8110f089fcbe58e198e5add980bacbdbe8b
Instruction Fuzzy Hash: 9C31BE32224606BBDB118E78DC45BEB77A9EB0A324F204725F875921E1CB31ED618B54

Function 002A740B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002A7493
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002A74A7
SendMessageW.USER32(?,00001002,00000000,?), ref: 002A74CB

Strings

SysMonthCal32, xrefs: 002A745E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: cfa85f2648686ef43060a3a1d6e4a46bc493be978eef3ccbcf3813f32fb3dfab
Instruction ID: 8623748fd615c52023cf44dbf42d66185cf4fa27e057a002ab48598dcfe8f6a9
Opcode Fuzzy Hash: cfa85f2648686ef43060a3a1d6e4a46bc493be978eef3ccbcf3813f32fb3dfab
Instruction Fuzzy Hash: 5421D332510219BBDF218F90DC46FEA3B79EF4D724F110114FE146B1D0DA75A860CB90

Function 002A6CE2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002A6D6D
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002A6D7D
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002A6DA2

Strings

Listbox, xrefs: 002A6D3A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: d18fce6f8f4ab4b725d0480d18b95cf7689b1c778b66ff3d36b5f464a54a8547
Instruction ID: d966d9d647a6f3541af03d24501760fa37cff937a22d91e1063e42db49b4478c
Opcode Fuzzy Hash: d18fce6f8f4ab4b725d0480d18b95cf7689b1c778b66ff3d36b5f464a54a8547
Instruction Fuzzy Hash: B021A772720119BFDF128F54DC89FBB3B6AEF8A754F158124F9059B190CB719C618BA0

Function 002A7740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002A77A4
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002A77B9
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002A77C6

Strings

msctls_trackbar32, xrefs: 002A777B

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3ec2b293ca3b716382bb4adac567f33f10f81b6419d852c14f59f49275df4b84
Instruction ID: 8f8581595747a2dff8ed16e9230ae54d9066f650301ea896039651b736fef8a3
Opcode Fuzzy Hash: 3ec2b293ca3b716382bb4adac567f33f10f81b6419d852c14f59f49275df4b84
Instruction Fuzzy Hash: 42110A32664209BBEF105F70DC45FE777ADEF8AB14F010118F651960D1DA71E861CB24

Function 00246CEE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00246D10
__calloc_crt.LIBCMT ref: 00246D29

Strings

@B., xrefs: 00246D40
-, xrefs: 00246D4E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __calloc_crt
String ID: -$@B.
API String ID: 3494438863-912515190
Opcode ID: f23139dead6973903c4b5ddfd2f0ccafaf90bc1b8cb44301b578f18b400bb7b1
Instruction ID: 3c88a092f74c84e8ed329a05b22fb72a431635c430ac01d000a5cfef11b2cff5
Opcode Fuzzy Hash: f23139dead6973903c4b5ddfd2f0ccafaf90bc1b8cb44301b578f18b400bb7b1
Instruction Fuzzy Hash: E7F0C272B78A23CAF76C9F19BC997653795E702328F100427E604CE290E7708CA08A82

Function 00224C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00224C2E), ref: 00224CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00224CB5

Strings

kernel32.dll, xrefs: 00224C9E
GetNativeSystemInfo, xrefs: 00224CAF

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 31ee7560bfccaf83bdbcc55cb0b5eb13e14a66d0f289c8bc817623b89d5c1fa9
Instruction ID: e2abfa92b3f177283f9353ef0e54e48bb3c83328c92bdbd9bf24a7b0f6c2b7b5
Opcode Fuzzy Hash: 31ee7560bfccaf83bdbcc55cb0b5eb13e14a66d0f289c8bc817623b89d5c1fa9
Instruction Fuzzy Hash: 62D0C770520323DFC720AFB4EB08602B2E4AF0B780B108C3AD88AC2150EA78C890CA20

Function 00224D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00224D2E,?,00224F4F,?,002E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00224D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00224D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00224D7B
kernel32.dll, xrefs: 00224D6A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 1f09827c27050de7a5ada8eec44ffd2196194858797db397d895d1bc2d5854bf
Instruction ID: 6584d73e8e499bb1f5c6242bfcef0be817c9115994980a0f0b5de21e2265d15b
Opcode Fuzzy Hash: 1f09827c27050de7a5ada8eec44ffd2196194858797db397d895d1bc2d5854bf
Instruction Fuzzy Hash: 03D01230520723DFD7206FB1E94865676E8AF16752B51C93AD486D6250EA74D890CA60

Function 00224D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00224CE1,?), ref: 00224DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00224DB4

Strings

kernel32.dll, xrefs: 00224D9D
Wow64RevertWow64FsRedirection, xrefs: 00224DAE

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 8f0fecf7d5252d9a1cb99ec6d1662f180203042749c97978327a28f50f3aa1c1
Instruction ID: 17845c8302b6126d26ee9e692df7d03198aa15033441d684da16e0942b40cd7b
Opcode Fuzzy Hash: 8f0fecf7d5252d9a1cb99ec6d1662f180203042749c97978327a28f50f3aa1c1
Instruction Fuzzy Hash: D4D01230560723DFD7206FB1E94864676E4AF06355B11883AD8C5D6150EB74D890C660

Function 002A0E72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,002A10C1), ref: 002A0E80
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002A0E92

Strings

RegDeleteKeyExW, xrefs: 002A0E8C
advapi32.dll, xrefs: 002A0E7B

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: e80d2635a5866595bc9dcb8e6f7f2746ff431002e312fb0a234146dc13124987
Instruction ID: 24399773ee05e01a03e94a10bf021acd6c9560ab1ddec9d148c9550fd15c33b0
Opcode Fuzzy Hash: e80d2635a5866595bc9dcb8e6f7f2746ff431002e312fb0a234146dc13124987
Instruction Fuzzy Hash: 5ED01270920713CFD7205F75EA48646B6D4AF06391B518C7AE489D2250DA74D8D0C650

Function 002991F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00298E09,?,002AF910), ref: 00299203
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00299215

Strings

GetModuleHandleExW, xrefs: 0029920F
kernel32.dll, xrefs: 002991FE

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 1a9ed089309dac4e015b1c3156ed1786a94c13b4b9ebaef35ec906962fffb96e
Instruction ID: cca69bf6b65cbec1b05037f3c283fccf59209f6bd4cb8d23c9981d2f04c88481
Opcode Fuzzy Hash: 1a9ed089309dac4e015b1c3156ed1786a94c13b4b9ebaef35ec906962fffb96e
Instruction Fuzzy Hash: 28D0C230960313DFCB305F75DE0810272E5AF16351B008C3EDC85C6550EA74C8E0CB20

Function 00261A6D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00261A71
__swprintf.LIBCMT ref: 00261AA2

Strings

WIN_XPe, xrefs: 00261AE1
%.3d, xrefs: 00261A7C

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 609fbe55332fcc7ef107d68a3493b1002c86c4464dda1bbea7f96cc01df2a267
Instruction ID: 923f976990be17d3044090bf80d0d2198d05e21f60eb63731694b95486340443
Opcode Fuzzy Hash: 609fbe55332fcc7ef107d68a3493b1002c86c4464dda1bbea7f96cc01df2a267
Instruction Fuzzy Hash: ADD01271C35119EBCB54D7D099859FD737CA708300F284552F406A1040E6A5EFF4EA21

Function 002774A5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c4e08b4f72af35c100d2182f9fc60dbac006e3dc506b74e3ef473d6acc78cd
Instruction ID: 40c8b22cf3d8290aa33ee9dfedbded0ce0e28b40b1e44df877146207c55a4160
Opcode Fuzzy Hash: 65c4e08b4f72af35c100d2182f9fc60dbac006e3dc506b74e3ef473d6acc78cd
Instruction Fuzzy Hash: D0C17E74A14216EFDB14CFA8C884EAEF7B9FF48714B118598E809EB251D770ED91CB90

Function 0029E13E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0029E1D2
CharLowerBuffW.USER32(?,?), ref: 0029E215

Part of subcall function 0029D8B9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0029D8D9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0029E415
_memmove.LIBCMT ref: 0029E428

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: e832d2fd97f313dd5edd0bfd3089ae6d8d8637adf1d8d98656d94240c86c0abb
Instruction ID: 6c017ade0885f6c89cc311651d8080e9d28d35927d0c8bd3765d996c4061e542
Opcode Fuzzy Hash: e832d2fd97f313dd5edd0bfd3089ae6d8d8637adf1d8d98656d94240c86c0abb
Instruction Fuzzy Hash: 00C19971A283119FCB04DF28C48096ABBE4FF88714F15896EF8999B351D730E956CF82

Function 002981A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002981D8
CoUninitialize.OLE32 ref: 002981E3

Part of subcall function 0027D87B: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0027D8E3

VariantInit.OLEAUT32(?), ref: 002981EE
VariantClear.OLEAUT32(?), ref: 002984BF

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 787fe398e8b076092172bcfebd56e022ac4ce95a29b60bbd8a7e1dcf649e6e25
Instruction ID: 10e403f691af8272055659b4cd41761b1d93006361b5d64648347ef9fc6f1e42
Opcode Fuzzy Hash: 787fe398e8b076092172bcfebd56e022ac4ce95a29b60bbd8a7e1dcf649e6e25
Instruction Fuzzy Hash: 5FA15935624712AFDB10DF54C481B2AB7E4BF89720F18484DF99A9B3A1CB74ED90CB45

Function 00276BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00276BE4
SysAllocString.OLEAUT32(00000000), ref: 00276C8D
VariantCopy.OLEAUT32 ref: 00276CBC
VariantClear.OLEAUT32(?), ref: 00276CE3

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 6f26d7ab3df3fe15050f227f35357854de80e451567d072191f1721ec53c21ce
Instruction ID: a22d59f05eb2847c74a8d33ca5c1f7f2ae70c776370e77dec24e2761186c121c
Opcode Fuzzy Hash: 6f26d7ab3df3fe15050f227f35357854de80e451567d072191f1721ec53c21ce
Instruction Fuzzy Hash: 2C51B734734B029FDB34AF65D499A69B3E5EF05310F20C82FE59EC7691DEB498A08B11

Function 002A9826 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(011DD948,?), ref: 002A9895
ScreenToClient.USER32(00000002,00000002), ref: 002A98C8
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 002A9935

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 02f98da5a3f3a1c0f276ac7a643af31f857ed5a0ceef7c2056ba7809f85e72a1
Instruction ID: 8654c8c43948638571f04cc0bcfa46c56ba208b90a13ffb5100199387bb1e5b6
Opcode Fuzzy Hash: 02f98da5a3f3a1c0f276ac7a643af31f857ed5a0ceef7c2056ba7809f85e72a1
Instruction Fuzzy Hash: 0B51433491020AEFCF14DF55D9849AE7BB5FF86360F108159F8559B2A0DB31ADA1CF90

Function 00296AC0 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00296AE7
WSAGetLastError.WSOCK32(00000000), ref: 00296AF7

Part of subcall function 00229997: __itow.LIBCMT ref: 002299C2
Part of subcall function 00229997: __swprintf.LIBCMT ref: 00229A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00296B5B
WSAGetLastError.WSOCK32(00000000), ref: 00296B67

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 34f54da622271d7a8f3983887162ea1d20e82a75340f5ec8702ef51e7be50661
Instruction ID: 5db92f52b2be4c01511b5581c6a206cfc5a3b4dd63434a033697bbd9c9d3bcce
Opcode Fuzzy Hash: 34f54da622271d7a8f3983887162ea1d20e82a75340f5ec8702ef51e7be50661
Instruction Fuzzy Hash: A941B734750210BFEB20AF64EC8BF3A77E59F04B14F048418FA599B2D2DA749C508F51

Function 00296530 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,002AF910), ref: 002965BD
_strlen.LIBCMT ref: 002965EF

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 893b5e6e36456366f1a315a1a5873c6d8d5f2caa93d976094358927af7807684
Instruction ID: 007a42a8bff690b216b12856f2a068a966e591b1d30ddc7df32feff16d459898
Opcode Fuzzy Hash: 893b5e6e36456366f1a315a1a5873c6d8d5f2caa93d976094358927af7807684
Instruction Fuzzy Hash: 7D41E330520114AFCF14EBA4EDC9EAEB3E9AF44310F148165F81997292DF34AD64CF50

Function 0028B880 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0028B92A
GetLastError.KERNEL32(?,00000000), ref: 0028B950
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0028B975
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0028B9A1

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 77be938005a2b24bdb2ed2b54c45f2d1bdfd74fed43e90ef885449ad92d6de96
Instruction ID: 03f04d309c34ca214bda1b41bc07b220851f84ce6c580655cc1cb18b1e5722f9
Opcode Fuzzy Hash: 77be938005a2b24bdb2ed2b54c45f2d1bdfd74fed43e90ef885449ad92d6de96
Instruction Fuzzy Hash: FC415B39610621EFCB21EF54D545A19BBE1EF89320F198488EC4A9B362CB35FD90CF91

Function 002A8883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002A8910

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 558396328c1e428ab5d5fc108399bfded1382a7bccd40461dec0de472063accd
Instruction ID: ac29a1ac30ed34aa51db9168aed63c63c81891dbb619ade4cad9b01429a8e2a0
Opcode Fuzzy Hash: 558396328c1e428ab5d5fc108399bfded1382a7bccd40461dec0de472063accd
Instruction Fuzzy Hash: 3831F23067010ABFEF249E54DC89BBE77A5EB07310F544115FA51E73E0CF7499A08A52

Function 002AAB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 002AAB92
GetWindowRect.USER32(?,?), ref: 002AAC08
PtInRect.USER32(?,?,002AC07E), ref: 002AAC18
MessageBeep.USER32(00000000), ref: 002AAC89

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 3932203f937e002deee8aab67359ad17b8eab3bdc08aa4bdcf4efe0832d71234
Instruction ID: 848d6808cdd576b7bb1b5209748ec4c151528058defad17962fa9e9422250ea4
Opcode Fuzzy Hash: 3932203f937e002deee8aab67359ad17b8eab3bdc08aa4bdcf4efe0832d71234
Instruction Fuzzy Hash: 3D418D30660256DFEB11CF58D988B597BF6FF4A324F1480AAE8148F260DB30A855CF92

Function 00280E07 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00280E58
SetKeyboardState.USER32(00000080,?,00000001), ref: 00280E74
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00280EDA
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00280F2C

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5d651d58542e17e50311e80fa89829ba8dd3e684a79f4e5964ba2ba99a01fad2
Instruction ID: efd0e7c34761559cf967243a6682bfc666305fc0f27721ed7ca79ed033101a24
Opcode Fuzzy Hash: 5d651d58542e17e50311e80fa89829ba8dd3e684a79f4e5964ba2ba99a01fad2
Instruction Fuzzy Hash: 3B318B34972209AEFBB0AE248C89BFF7B69EB49310F08461AF4C0511D1C77448799751

Function 00280F42 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00280F97
SetKeyboardState.USER32(00000080,?,00008000), ref: 00280FB3
PostMessageW.USER32(00000000,00000101,00000000), ref: 00281012
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00281064

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 16b282d1c597936936392ef5555848c545bdcd63c3699fd32d4f395abe1a8733
Instruction ID: 16eab7b3d0729334221a058d3002c52fa20da79db2cb41f76fb5b5ee7b901242
Opcode Fuzzy Hash: 16b282d1c597936936392ef5555848c545bdcd63c3699fd32d4f395abe1a8733
Instruction Fuzzy Hash: 53318C34D26399DEFF34AE64CC08BFABB6DAB45310F04821AF885521D1C77889F69761

Function 00256345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0025637B
__isleadbyte_l.LIBCMT ref: 002563A9
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002563D7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0025640D

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b7327724392d38859838295eca8b17365a17851bfe046445a732b4c941334820
Instruction ID: 055262680242e57ce86c714af74d4172331ef01ed1eac0e09814bc0ccb11ba8b
Opcode Fuzzy Hash: b7327724392d38859838295eca8b17365a17851bfe046445a732b4c941334820
Instruction Fuzzy Hash: C531F231620246FFDB218F75C848B6A7BB5FF41712F554169EC14870A0E730DC68DB94

Function 002A4F57 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002A4F6B

Part of subcall function 00283685: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0028369F
Part of subcall function 00283685: GetCurrentThreadId.KERNEL32 ref: 002836A6
Part of subcall function 00283685: AttachThreadInput.USER32(00000000,?,002850AC), ref: 002836AD

GetCaretPos.USER32(?), ref: 002A4F7C
ClientToScreen.USER32(00000000,?), ref: 002A4FB7
GetForegroundWindow.USER32 ref: 002A4FBD

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c6c9227d732791083c4993a49633ff91e15987e7c326e2bd45acdde4aee8352d
Instruction ID: e6273a897ddaa9c0e9cadc5a242e4082650cf5453f67ee0c70b6a6e2356357c6
Opcode Fuzzy Hash: c6c9227d732791083c4993a49633ff91e15987e7c326e2bd45acdde4aee8352d
Instruction Fuzzy Hash: 96312C71D10218AFDB00EFA5D9859EFB7F9EF89300F10406AE505E7241EA759E55CFA0

Function 002AC502 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

GetCursorPos.USER32(?), ref: 002AC53C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0025BB2B,?,?,?,?,?), ref: 002AC551
GetCursorPos.USER32(?), ref: 002AC59E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0025BB2B,?,?,?), ref: 002AC5D8

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 63e11fea96c020e88379ed8c4a00c9afc0c55a9df7915037db60b5d652781703
Instruction ID: 3dc6b539978dc8a8bd6cb0487a041ab72bf8837965befc65a4457b91c12419cf
Opcode Fuzzy Hash: 63e11fea96c020e88379ed8c4a00c9afc0c55a9df7915037db60b5d652781703
Instruction Fuzzy Hash: C731FB35910418FFCB15CF94D858DEA7BF5EB4A310F944055F9059B261DB31AD60DFA0

Function 0027897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00278432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00278449
Part of subcall function 00278432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00278453
Part of subcall function 00278432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00278462
Part of subcall function 00278432: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00278469
Part of subcall function 00278432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0027847F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002789CB
_memcmp.LIBCMT ref: 002789EE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00278A24
HeapFree.KERNEL32(00000000), ref: 00278A2B

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 0848943cfa7f5eccb6ef6230fb8e3086d23f848e92d5160a615ef79531a6ec4b
Instruction ID: 064ecb26e1244481e277c0b50b24ce846b57dc36665839ec28bc9136c92c19ce
Opcode Fuzzy Hash: 0848943cfa7f5eccb6ef6230fb8e3086d23f848e92d5160a615ef79531a6ec4b
Instruction Fuzzy Hash: 8B217A72E90109EFDB10DFA4C949BFEB7B8EF44315F15809AE858A7240DB30AA15CF51

Function 00240B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00240B2E

Part of subcall function 00225B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,0028793F,?,?,00000000), ref: 00225B8C
Part of subcall function 00225B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,0028793F,?,?,00000000,?,?), ref: 00225BB0

_fprintf.LIBCMT ref: 00240B65
OutputDebugStringW.KERNEL32(?), ref: 00276111

Part of subcall function 00244C1A: _flsall.LIBCMT ref: 00244C33

__setmode.LIBCMT ref: 00240B9A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: f1670b362eba25bc391c8978e8f31dbb94bac0ec4367ea544d30d84d78b1a3d2
Instruction ID: a3d0f0b3dd04037a5b4779540d124b7fd318074dcc4ad825e3c79182cf0e95f9
Opcode Fuzzy Hash: f1670b362eba25bc391c8978e8f31dbb94bac0ec4367ea544d30d84d78b1a3d2
Instruction Fuzzy Hash: B51157329246147EDB0877E4AC87ABD7B6DDF41324F14401AF20867182DE7158B14F95

Function 0029187D Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002918B9

Part of subcall function 00291943: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00291962
Part of subcall function 00291943: InternetCloseHandle.WININET(00000000), ref: 002919FF

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 191d014b1fcdd95e8c04d5a43ec9dab67dff1e630a90dcc07fc16457d9ec65f9
Instruction ID: a594e3bfcf26de6467ba2c887b7c5d73dcf9ce7e33bcd3d2ac53c10ba8bb61b7
Opcode Fuzzy Hash: 191d014b1fcdd95e8c04d5a43ec9dab67dff1e630a90dcc07fc16457d9ec65f9
Instruction Fuzzy Hash: F821F075210706BFEF159F61DC14FBAB7A9FF49700F00442AFA1596650DB71D831ABA0

Function 00283A6E Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,002AFAC0), ref: 00283AA8
GetLastError.KERNEL32 ref: 00283AB7
CreateDirectoryW.KERNEL32(?,00000000), ref: 00283AC6
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,002AFAC0), ref: 00283B23

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b1a42a2501c2d998fd1db967b7392099facea7835f5d2c7764bf4f1ab83fcd1e
Instruction ID: 52a1fcbdb3f43f89eaa723d767727eb7d882e562f558a1ab9f874191548f8aeb
Opcode Fuzzy Hash: b1a42a2501c2d998fd1db967b7392099facea7835f5d2c7764bf4f1ab83fcd1e
Instruction Fuzzy Hash: 0021077451A3119F8700EF64D98089BB7E4EE16B28F144A2DF499C32E1DB30DE25CF82

Function 00255262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00255281

Part of subcall function 0024588C: __FF_MSGBANNER.LIBCMT ref: 002458A3
Part of subcall function 0024588C: __NMSG_WRITE.LIBCMT ref: 002458AA
Part of subcall function 0024588C: RtlAllocateHeap.NTDLL(011C0000,00000000,00000001,00000000,?,?,?,00240F53,?), ref: 002458CF

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: b171991fe87ac7bd1c9b60b500f93f124cf3d4733a4a322725c7b3aa05699282
Instruction ID: b91c77c87e3de1a8547114b8878cdb607b49777b9d9de907dc789eceaaa47fa7
Opcode Fuzzy Hash: b171991fe87ac7bd1c9b60b500f93f124cf3d4733a4a322725c7b3aa05699282
Instruction Fuzzy Hash: 8A112332931A22ABCF282FB0FC5961E3798AF01362F20052AFC04DA150DF348D648B98

Function 00224531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00224560

Part of subcall function 0022410D: _memset.LIBCMT ref: 0022418D
Part of subcall function 0022410D: _wcscpy.LIBCMT ref: 002241E1
Part of subcall function 0022410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002241F1

KillTimer.USER32(?,00000001,?,?), ref: 002245B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002245C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0025D5FE

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: efa3f97ab6e21771324f9e8cd77c8bafec871ee7fdbaa2e0d8bda818ee06ac99
Instruction ID: 791c802d86d75e2b0732d0131bc5c96e4661d2f79dd64a7225c9284a9b2166c2
Opcode Fuzzy Hash: efa3f97ab6e21771324f9e8cd77c8bafec871ee7fdbaa2e0d8bda818ee06ac99
Instruction Fuzzy Hash: BE213AB0414394AFEB329F64E849BE7BBEC9F11308F44008DEACA56141D7B41AA88B41

Function 0029647F Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00225B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,0028793F,?,?,00000000), ref: 00225B8C
Part of subcall function 00225B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,0028793F,?,?,00000000,?,?), ref: 00225BB0

gethostbyname.WSOCK32(?,?,?), ref: 002964AF
WSAGetLastError.WSOCK32(00000000), ref: 002964BA
_memmove.LIBCMT ref: 002964E7
inet_ntoa.WSOCK32(?), ref: 002964F2

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 64520a150591a487a70b0499489b5c412b4c6fd2922e66014bb6d2de12c775e6
Instruction ID: f28e237cdfebb89185f0251783c8f8dea6d7b53537332118eb19d1fe057270b9
Opcode Fuzzy Hash: 64520a150591a487a70b0499489b5c412b4c6fd2922e66014bb6d2de12c775e6
Instruction Fuzzy Hash: 8D115E31920119AFCF04EBE4ED8ADEEB7B8AF05310B148065F506A7261DF31AE64CF61

Function 00278E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00278E23
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00278E35
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00278E4B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00278E66

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 37b7028828b36390c77a67dea8c3e28d81e11d80fbe61d680d12cad0b212762f
Instruction ID: e114430105069da9f22d0ca489e48b4f44023805438d3a57fb1daec17d52689c
Opcode Fuzzy Hash: 37b7028828b36390c77a67dea8c3e28d81e11d80fbe61d680d12cad0b212762f
Instruction Fuzzy Hash: D4113679940219BFEB10DFA5C885E9DBBB8FB08710F204095FA04B7290DB716E20DB90

Function 00221290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

DefDlgProcW.USER32(?,00000020,?), ref: 002212D8
GetClientRect.USER32(?,?), ref: 0025B77B
GetCursorPos.USER32(?), ref: 0025B785
ScreenToClient.USER32(?,?), ref: 0025B790

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 927885f1cc3a4c5a61a39aabf3d8c948ae7af12710d14f0108dcc22734ada2f1
Instruction ID: 73ed38908e3d4ed06ab9d015b3782d33a7d71552ac406a6b7420ee48fdda1d4c
Opcode Fuzzy Hash: 927885f1cc3a4c5a61a39aabf3d8c948ae7af12710d14f0108dcc22734ada2f1
Instruction Fuzzy Hash: 5C115835A20029FBCB10DFE4E989DAE77B8EB16300F400556F911E7250CB30BA618BA5

Function 00281473 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0028001E,?,00281071,?,00008000), ref: 00281490
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0028001E,?,00281071,?,00008000), ref: 002814B5
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0028001E,?,00281071,?,00008000), ref: 002814BF
Sleep.KERNEL32(?,?,?,?,?,?,?,0028001E,?,00281071,?,00008000), ref: 002814F2

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 40941d91b71ae9961da08e1b3f5a485ae2648295955692f371cf4096f4bee22f
Instruction ID: 247d67e2620078193ffa45f12cd89b44afcaae7ad2457a126ca2c6af36ba414c
Opcode Fuzzy Hash: 40941d91b71ae9961da08e1b3f5a485ae2648295955692f371cf4096f4bee22f
Instruction Fuzzy Hash: 2C112E35C11529D7CF00AFE5E948AEDBB78FF09711F014155EA45B62C0CB7495B28B91

Function 00257137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0025715B

Part of subcall function 00257842: __fltout2.LIBCMT ref: 0025786B

__cftog_l.LIBCMT ref: 00257181
__cftoe_l.LIBCMT ref: 002571B3

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: fabf3959dc1d2e3bfc7962aaa743fdaf96838315d8de1658bfc3ca4424222e05
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 200178320A854ABBCF125E88EC058EE3F26BF18396F488415FE1C58130C736C9B5AB95

Function 002AB2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002AB318
ScreenToClient.USER32(?,?), ref: 002AB330
ScreenToClient.USER32(?,?), ref: 002AB354
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002AB36F

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: b7be98d634d795836c9b9c19595292e3fd4dd50cbb7dba5fe15c99f8aabd7bb4
Instruction ID: 08131d5a2e2ed44de818a2e252806b6ccefba348b86ae8a0ad2e050c3c5f9142
Opcode Fuzzy Hash: b7be98d634d795836c9b9c19595292e3fd4dd50cbb7dba5fe15c99f8aabd7bb4
Instruction Fuzzy Hash: 7B114675D00209EFDB41CF98D5849EEBBB9FB09310F104166E924E3620D735AA65CF90

Function 00286C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00286C8F

Part of subcall function 0028776D: _memset.LIBCMT ref: 002877A2

_memmove.LIBCMT ref: 00286CB2
_memset.LIBCMT ref: 00286CBF
LeaveCriticalSection.KERNEL32(?), ref: 00286CCF

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: c6e65d6dc60e7c4f7fcd4f0bb09e682f5051da3d4cb71f6d05d8c1ffe2ab418a
Instruction ID: 494142aa6849f463acae1b709aec5d6ad258735a3d397eb79c32ac27b34d70e3
Opcode Fuzzy Hash: c6e65d6dc60e7c4f7fcd4f0bb09e682f5051da3d4cb71f6d05d8c1ffe2ab418a
Instruction Fuzzy Hash: BEF0543A105104ABCF416F55EC85E49BB29FF45320F548065FE085E25BCB35E825CFB4

Function 0027A15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0027A179
GetWindowThreadProcessId.USER32(?,00000000), ref: 0027A18C
GetCurrentThreadId.KERNEL32 ref: 0027A193
AttachThreadInput.USER32(00000000), ref: 0027A19A

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 194bff0f415bfd03e76af1dcaac8fb14be326da9c3cbbfb951ab43de8885cb80
Instruction ID: 64ad1e6f2a109b4ddc9debb3a166c1e5e38dab9efce08a93f0c08ec938bf42bc
Opcode Fuzzy Hash: 194bff0f415bfd03e76af1dcaac8fb14be326da9c3cbbfb951ab43de8885cb80
Instruction Fuzzy Hash: 44E0C931545228BBEB605FA2ED0DEDB7F5CEF26BB1F408025F51D95060CA758550CBA1

Function 00222218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00222231
SetTextColor.GDI32(?,000000FF), ref: 0022223B
SetBkMode.GDI32(?,00000001), ref: 00222250
GetStockObject.GDI32(00000005), ref: 00222258
GetWindowDC.USER32(?,00000000), ref: 0025C003
GetPixel.GDI32(00000000,00000000,00000000), ref: 0025C010
GetPixel.GDI32(00000000,?,00000000), ref: 0025C029
GetPixel.GDI32(00000000,00000000,?), ref: 0025C042
GetPixel.GDI32(00000000,?,?), ref: 0025C062
ReleaseDC.USER32(?,00000000), ref: 0025C06D

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 6cffc69297b35211c0a93b68e26e7aef430a50f41df2a5fc4b32a9f92aa9d0eb
Instruction ID: 621059218cf7b52be811eb7b2a7d3737d72b93a5c35d0fdf07e861b5aa0f3709
Opcode Fuzzy Hash: 6cffc69297b35211c0a93b68e26e7aef430a50f41df2a5fc4b32a9f92aa9d0eb
Instruction Fuzzy Hash: 6AE03932504245EBEB615FA4FD0D7D87B10EB06332F108366FA69480E18B7649A4DB22

Function 00278A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00278A43
OpenThreadToken.ADVAPI32(00000000,?,?,?,0027860E), ref: 00278A4A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0027860E), ref: 00278A57
OpenProcessToken.ADVAPI32(00000000,?,?,?,0027860E), ref: 00278A5E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: acb56ec51706b8d6c3f0c35ac01015da2f31e41d57bfa2a7a862c2a1adc8ef95
Instruction ID: 7c18a7e6c610f25cea3128bc55c3ddf53f8d30255cb22e5f6678e33cf4a3be4f
Opcode Fuzzy Hash: acb56ec51706b8d6c3f0c35ac01015da2f31e41d57bfa2a7a862c2a1adc8ef95
Instruction Fuzzy Hash: 04E08636745211DFD7A05FF17E0CB973BACEF52792F048868B645C9044DE389441C750

Function 002620B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002620B6
GetDC.USER32(00000000), ref: 002620C0
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002620E0
ReleaseDC.USER32(?), ref: 00262101

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c3932a6b87d90a73b10f84a73efc3771de8ab935137e95c0253bc91b63b67007
Instruction ID: 571186ae3abec3bc90c4d515c800614902a0f32829b760ede2095b8c9989afcc
Opcode Fuzzy Hash: c3932a6b87d90a73b10f84a73efc3771de8ab935137e95c0253bc91b63b67007
Instruction Fuzzy Hash: 43E0E575810214EFCB519FA0EA0C69DBBB9EB5D711F208425F86A97260CB7981919F40

Function 002620CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002620CA
GetDC.USER32(00000000), ref: 002620D4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002620E0
ReleaseDC.USER32(?), ref: 00262101

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 72642b95cf9ec0b562f5df79543073406e5cd0391efaecbb18b088420ccb6c21
Instruction ID: 50be5b281cb5ac82db2b0c7d18ba9e6e2705e40343f9db342992e626fbd26708
Opcode Fuzzy Hash: 72642b95cf9ec0b562f5df79543073406e5cd0391efaecbb18b088420ccb6c21
Instruction Fuzzy Hash: 14E01A75C10214AFCB519FF0EA0C69DBBF9EB4D711F108025F96A97220CB7C91419F40

Function 002263A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%+, xrefs: 002263AE

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID:
String ID: %+
API String ID: 0-2692660539
Opcode ID: bd3f06ca687e2a5e64bfe203d4a7edcec7e04f297e9b0ddd086c9a0404671778
Instruction ID: a5153210767d815bc7a491068c64ced4a37d0576bcdb33d42172dd17cc4b758c
Opcode Fuzzy Hash: bd3f06ca687e2a5e64bfe203d4a7edcec7e04f297e9b0ddd086c9a0404671778
Instruction Fuzzy Hash: CDB1BE7282412ABACF24EFD4E4899FEB7B8EF04310F504026E942A7194DB349EB5CB51

Function 0029AFB7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0029B0C3

Strings

xb., xrefs: 0029B0F9
xb., xrefs: 0029B125

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: __itow_s
String ID: xb.$xb.
API String ID: 3653519197-2273934189
Opcode ID: fa8ff674df954ef09b56ab815a9370ec36117916c8c74dffe65793d0be5c2e37
Instruction ID: c0e71568637cb237b93e0a21e24f732b72d776fbcf06b3b1a30d9722a0ad592a
Opcode Fuzzy Hash: fa8ff674df954ef09b56ab815a9370ec36117916c8c74dffe65793d0be5c2e37
Instruction Fuzzy Hash: 8DB1AD30A10219AFDF15DF94E990EBEB7B9FF58300F148059F9459B291EB70E9A1CB60

Function 0028B038 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0023FE06: _wcscpy.LIBCMT ref: 0023FE29

Part of subcall function 00229997: __itow.LIBCMT ref: 002299C2
Part of subcall function 00229997: __swprintf.LIBCMT ref: 00229A0C

__wcsnicmp.LIBCMT ref: 0028B0B9
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0028B182

Strings

LPT, xrefs: 0028B0B3

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 14c5923e65e99c6b322c19b34cef9ed82fb4e73e78ffbae8f1818d8116ff9fcf
Instruction ID: 0a7796a20438473457f0306fb8fac28e3b29f42efeb96b03cc7726c919f3d712
Opcode Fuzzy Hash: 14c5923e65e99c6b322c19b34cef9ed82fb4e73e78ffbae8f1818d8116ff9fcf
Instruction Fuzzy Hash: F561B579E20215AFCB15EF94C895EAEB7B4EF08310F10405DF94AAB391DB70AE94CB50

Function 002688DA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00268981
_memmove.LIBCMT ref: 002689DB

Strings

Oa#, xrefs: 00268A55, 0026E332, 0026E34E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _memmove
String ID: Oa#
API String ID: 4104443479-1510357115
Opcode ID: dc83d41a7ccc98d2b9a5e6c114e4650131a7a021eb05bb8d21038784f30c37ec
Instruction ID: 61155ba792cb2bba77ca27de5409597f7c7f88ba783475f952ea11aa03eccaa9
Opcode Fuzzy Hash: dc83d41a7ccc98d2b9a5e6c114e4650131a7a021eb05bb8d21038784f30c37ec
Instruction Fuzzy Hash: 4E513DB0A1161A9FCF24CF68D484ABEB7F1FF44304F248569E85AD7240EB31A9A5CB51

Function 00232AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00232AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00232AE1

Strings

@, xrefs: 00232AD5

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 03ccad3ffe60a9a2e4b6e8776358c172df9b59f1c065126ba39c5327379d6510
Instruction ID: ad4f7921fc3c28ac4d5a9a99ee552ad78f0f3c1102391cc4226df6a1cca17359
Opcode Fuzzy Hash: 03ccad3ffe60a9a2e4b6e8776358c172df9b59f1c065126ba39c5327379d6510
Instruction Fuzzy Hash: 74517772428758ABD320AF50EC86BAFBBE8FF85310F41884DF1D9410A1DB708579CB66

Function 002897DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0022506B: __fread_nolock.LIBCMT ref: 00225089

_wcscmp.LIBCMT ref: 002898CD
_wcscmp.LIBCMT ref: 002898E0

Strings

FILE, xrefs: 00289819

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 41a8e5e7907d5abbfd5a106b64174f58f4015f4f0e3d718a8c4fae47c8fc7560
Instruction ID: 577f61b9ecb37ea8c90de60fbd5c26bd9e74d8d7a6442b7f7c18328bc7885d6d
Opcode Fuzzy Hash: 41a8e5e7907d5abbfd5a106b64174f58f4015f4f0e3d718a8c4fae47c8fc7560
Instruction Fuzzy Hash: F2412671A1062ABADF20AEE4DC85FEFB7BDDF49710F044469F900A71C0CA719E548BA1

Function 002608CD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 002608D8

Strings

Dd., xrefs: 0022A2B1
Dd., xrefs: 0022A477

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ClearVariant
String ID: Dd.$Dd.
API String ID: 1473721057-1161358372
Opcode ID: 5c9f7b5abf918a0c621c93ccfa861f3ddc7ccedc73ac34ce365e4ce96b256528
Instruction ID: c191b160abe7d584ec29aefb05cfabf5d728d59a469b1ea44ba71b5558da10be
Opcode Fuzzy Hash: 5c9f7b5abf918a0c621c93ccfa861f3ddc7ccedc73ac34ce365e4ce96b256528
Instruction Fuzzy Hash: 73513674624352DFC760CF59D484A1ABBF1BB98384F54885CE9818B761D331ECA0CF82

Function 002926A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002926B4
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002926EA

Strings

|, xrefs: 002926BB

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 9674bcb231827d6aebc2de0a18d3b28442fa1a3520a8966fea79fda440818853
Instruction ID: edbad5c10a64f0899e89834783e32fab3bc08b3e15da8b10028fd1a6b1fe1f42
Opcode Fuzzy Hash: 9674bcb231827d6aebc2de0a18d3b28442fa1a3520a8966fea79fda440818853
Instruction Fuzzy Hash: 1B310571824119BFCF01AFA1DC85EEEBFB9FF08310F104069F814A6166EA355A66DB60

Function 002A7AA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 002A7B93
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002A7BA8

Strings

', xrefs: 002A7AFC

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b071b0b564238ebb9809a61a6db3b23d95e0485626a775c59ec04547797e3969
Instruction ID: a057ee0f0ddbe87be7e74eb909f6801e0ff7438ff1719a486ee01edd7ed6f455
Opcode Fuzzy Hash: b071b0b564238ebb9809a61a6db3b23d95e0485626a775c59ec04547797e3969
Instruction Fuzzy Hash: 1D412A75A1530AEFDB14CFA4D880BDABBB5FB09304F10046AE904AB351DB70A951CFA4

Function 002A6A95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 002A6B49
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002A6B85

Strings

static, xrefs: 002A6AE5

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e30eb37c407d4bdbde05dcab71aad4f210c6491a314d846c39e537d44fc64cd1
Instruction ID: 3d8a38d9c48c3483978c87de238c74d9bf0e5ead73dce9db14b9d95abb265145
Opcode Fuzzy Hash: e30eb37c407d4bdbde05dcab71aad4f210c6491a314d846c39e537d44fc64cd1
Instruction Fuzzy Hash: 64319C71120605AFEB109F68DC85AFB73A9FF49724F148619F8A6D7190DF34ACA1CB60

Function 00282B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00282C09
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00282C44

Strings

0, xrefs: 00282C02

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: df5fdd45a7f8385a1ddc850d73f0cd525490248acc59de2f26bee9a068b32701
Instruction ID: dcb66f02aa70354ae04759f2d3cb02b4c0752f6c4f0543369600dc93f9184162
Opcode Fuzzy Hash: df5fdd45a7f8385a1ddc850d73f0cd525490248acc59de2f26bee9a068b32701
Instruction Fuzzy Hash: 5331273562130ADFDB34EF48D9857BEBBB8EF04300F15001AEC85A61E0D7709A68CB10

Function 002A6706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002A6793
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A679E

Strings

Combobox, xrefs: 002A6760

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2e4a288306f44c85d2e8573a225756e728ed7d2ebd69fd99fd257ebb67af9d50
Instruction ID: c124a489c6510c00a90b7b51a1eef3a16cee2140d1907d09ba9ec262b5705513
Opcode Fuzzy Hash: 2e4a288306f44c85d2e8573a225756e728ed7d2ebd69fd99fd257ebb67af9d50
Instruction Fuzzy Hash: 2711E6756301096FEF11DF14DC88EBB776AEB45368F140124F91497290DB319C718BA0

Function 002A6C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00221D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00221D73
Part of subcall function 00221D35: GetStockObject.GDI32(00000011), ref: 00221D87
Part of subcall function 00221D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00221D91

GetWindowRect.USER32(00000000,?), ref: 002A6CA3
GetSysColor.USER32(00000012), ref: 002A6CBD

Strings

static, xrefs: 002A6C80

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ee9370e9058bed885495372fdc7b04a66382a55924eebb1b44f65b2d339dec2e
Instruction ID: 124ea46cd7113d040f7689073573b3075faf2c993e641ca1d812893c696dbb04
Opcode Fuzzy Hash: ee9370e9058bed885495372fdc7b04a66382a55924eebb1b44f65b2d339dec2e
Instruction Fuzzy Hash: A821597292020AAFDB04DFA8DC49AFA7BA9EB09314F044629FD55D2250EB35E860DB50

Function 002A6952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002A69D4
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002A69E3

Strings

edit, xrefs: 002A69B8

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 470a59db487a92ed61f3b3b6b35d01a3771823e6bfdde7aa90df044bea3862f2
Instruction ID: e4abba0722ae3c0d43bce96d19f05f1b920fbd00d24200aa4224dba009d5bcb7
Opcode Fuzzy Hash: 470a59db487a92ed61f3b3b6b35d01a3771823e6bfdde7aa90df044bea3862f2
Instruction Fuzzy Hash: 4D11BF71520206AFEF104F74EC48AFB3769EB06368F544724F9A0971E0CB35DC609B60

Function 00282CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00282D1A
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00282D39

Strings

0, xrefs: 00282D10

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 4237782cdb6e6d673d7e6e45987075bf4c3654b975bd95caa3b797efb9a70211
Instruction ID: 81e82af16cd8fec071661278934c26b1ae3ea781b5a3474e983ce26b2a6171c7
Opcode Fuzzy Hash: 4237782cdb6e6d673d7e6e45987075bf4c3654b975bd95caa3b797efb9a70211
Instruction Fuzzy Hash: C1112679D32125EBCB24FF58D888BAD7BA9AB01300F054126EC05AB2E0D770AD1DC790

Function 002922EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00292342
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0029236B

Strings

<local>, xrefs: 00292333

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: dd7b248c483c75b109cba6ad6353259e7e940308cb3298c60f08e9dd0297c0e0
Instruction ID: ea5e415abd32ef1830f9a3785a9a9a59c78fe954bde074d57f0cdd6718584ca6
Opcode Fuzzy Hash: dd7b248c483c75b109cba6ad6353259e7e940308cb3298c60f08e9dd0297c0e0
Instruction Fuzzy Hash: DF110670521226FADF248F518C88EFBFB6CFF06351F1041AAF54952000D2B469A8C6F4

Function 00230A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00223C26,002E52F8,?,?,?), ref: 00230ACE

Part of subcall function 00227D2C: _memmove.LIBCMT ref: 00227D66

_wcscat.LIBCMT ref: 00265010

Strings

S., xrefs: 00230B0E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: S.
API String ID: 257928180-2842793924
Opcode ID: e8180dffff527088a235e077e71537f7dc60cac6bd87acc9eafa2aeb93d06d92
Instruction ID: 71d3b769aded66482dbda9606979be57a3eaa10178f4e67cf2a26bd87d0cb59a
Opcode Fuzzy Hash: e8180dffff527088a235e077e71537f7dc60cac6bd87acc9eafa2aeb93d06d92
Instruction Fuzzy Hash: 76118271A34218AB8B40EBA4DD41ED9B3B9EF08348F4004A5B948D7251DAB09AA88F64

Function 002790C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00227F41: _memmove.LIBCMT ref: 00227F82

Part of subcall function 0027AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0027AEC7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00279135

Strings

ListBox, xrefs: 002790FF
ComboBox, xrefs: 002790D4

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9a94496e13f13e1ffc0579b9864b938b38540bcdfddae3fb4c7fd52ad89492f9
Instruction ID: e10b11c305f0b398a0393397962555c9509c59f94a1d6ed8c977c4134daf7a47
Opcode Fuzzy Hash: 9a94496e13f13e1ffc0579b9864b938b38540bcdfddae3fb4c7fd52ad89492f9
Instruction Fuzzy Hash: 7201F531669225ABCB04EBA4CC968FE7369EF07320B144619F83A573D1DA3558289B50

Function 00278FBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00227F41: _memmove.LIBCMT ref: 00227F82

Part of subcall function 0027AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0027AEC7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0027902D

Strings

ListBox, xrefs: 00278FF7
ComboBox, xrefs: 00278FCC

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: dc63faf344985801fece8e056eabdc16e77b4b4b06e62ef31620e644698ed825
Instruction ID: 1290b277e2b175529cac09d229faab9a4ecb9ffb517cf06c3be94bd7d70a400a
Opcode Fuzzy Hash: dc63faf344985801fece8e056eabdc16e77b4b4b06e62ef31620e644698ed825
Instruction Fuzzy Hash: FE01F771A792147BCF14EBA0DD96DFF73A8DF06300F14402AB806A3281DE355E289A71

Function 00279044 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00227F41: _memmove.LIBCMT ref: 00227F82

Part of subcall function 0027AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 0027AEC7

SendMessageW.USER32(?,00000182,?,00000000), ref: 002790B0

Strings

ListBox, xrefs: 0027907C
ComboBox, xrefs: 00279051

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 6a52bc34a34e31b737fe76d5db6961eedcc40d932aca63f2de78147a8838d6ac
Instruction ID: 669aa5d256a3f805c768cf1317f94dee676be06c2d706c73836e36674c8f7b59
Opcode Fuzzy Hash: 6a52bc34a34e31b737fe76d5db6961eedcc40d932aca63f2de78147a8838d6ac
Instruction Fuzzy Hash: E5012B716752157BCF00EBA4CD42DFE73AC9F01310F144025780673382EA365E289A71

Function 0027C7AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0027C7F6

Part of subcall function 0027CB06: _memmove.LIBCMT ref: 0027CB50
Part of subcall function 0027CB06: VariantInit.OLEAUT32(00000000), ref: 0027CB72
Part of subcall function 0027CB06: VariantCopy.OLEAUT32(00000000,?), ref: 0027CB7C

VariantClear.OLEAUT32(?), ref: 0027C818

Strings

d}-, xrefs: 0027C7D9

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}-
API String ID: 2932060187-1876025632
Opcode ID: 8953dee91dee8be0a7a2662f137fb13c424b5046de248051a4cf1622b7409445
Instruction ID: 2f0887cc62c814a0ffc9d0db6e2165109d7757ab91d01dc097e296782e5b5f20
Opcode Fuzzy Hash: 8953dee91dee8be0a7a2662f137fb13c424b5046de248051a4cf1622b7409445
Instruction Fuzzy Hash: 13111E719107089FC720DFA9D88589AF7F8FF18314B50862FE58AD7611E771AA54CF90

Function 00284FCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00284FED
_wcscmp.LIBCMT ref: 00284FFF

Strings

#32770, xrefs: 00284FF9

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 789c0d0e09582d13fed335657d2de7206acfe6ccb2b50e6699000e9e8776dba0
Instruction ID: b3ed4eb0051827bedddf4b6972e884386ed31b1a23fede1a12a916b523a83c94
Opcode Fuzzy Hash: 789c0d0e09582d13fed335657d2de7206acfe6ccb2b50e6699000e9e8776dba0
Instruction Fuzzy Hash: 2CE06832A0022A2BD720EB99BC0DFA7F7ACEB05770F010027FC00D3150E9609A1187E0

Function 0025B441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0025B494: _memset.LIBCMT ref: 0025B4A1

Part of subcall function 00240AC0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0025B470,?,?,?,0022100A), ref: 00240AC5

IsDebuggerPresent.KERNEL32(?,?,?,0022100A), ref: 0025B474
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0022100A), ref: 0025B483

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0025B47E

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 4574b06ba9412f0c38eb0c72c396de5d1aa08f35806ccfdeabf65a80df88003e
Instruction ID: 4fd64d374a548d8a7bee6dd04f7e6509b03518872e01df103f670efc5f038932
Opcode Fuzzy Hash: 4574b06ba9412f0c38eb0c72c396de5d1aa08f35806ccfdeabf65a80df88003e
Instruction Fuzzy Hash: 03E06D702207618BD7719F64E908B467BE0AB04305F018A6CE842C6242EBB4E458CBA1

Function 002A59CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002A59D7
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002A59EA

Part of subcall function 002852EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00285363

Strings

Shell_TrayWnd, xrefs: 002A59D0

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 48c3b67801db9d496ee770ca93d16d27e73632f88848a66bdbb152b6e5546375
Instruction ID: ba281815682664d91eb59da29b7e69e8e7aeacab0c99a8c176c4245594f49c3c
Opcode Fuzzy Hash: 48c3b67801db9d496ee770ca93d16d27e73632f88848a66bdbb152b6e5546375
Instruction Fuzzy Hash: 5CD0A931390310B7E2A8BBB0AC4FFA22A14AB01B00F000825B615AA1D0CCE4A8008A10

Function 002A5A01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002A5A17
PostMessageW.USER32(00000000), ref: 002A5A1E

Part of subcall function 002852EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00285363

Strings

Shell_TrayWnd, xrefs: 002A5A10

Memory Dump Source

Source File: 00000000.00000002.1664329592.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.1664312507.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664373661.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664420214.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1664434161.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_z25RFQ945894-PDF.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9015bd6c5e1a9772f0e47513bcb127de93ce0f3e8ae9364f0bc7eb8445bc417d
Instruction ID: ece61935bad6ac9e0c5d39648257974f53915340e5155533f0e69108f3cb7fe7
Opcode Fuzzy Hash: 9015bd6c5e1a9772f0e47513bcb127de93ce0f3e8ae9364f0bc7eb8445bc417d
Instruction Fuzzy Hash: 65D0A9313803107BE2A8BBB0AC4FF922614AB02B00F000825B611AA1D0CCE4A8008A14

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z25RFQ945894-PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autA113.tmp

C:\Users\user\AppData\Local\Temp\quinquenniad

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
z25RFQ945894-PDF.exe

Function 00223B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00224FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 00224AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 002891FE Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00223017 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 70
windowregistryCOMMON

Function 00223041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 002271EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00223633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00223A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00223778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0022F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 0123EEA0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 002239E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0123EC20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162
fileCOMMON

Function 0022410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre