Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1522730
MD5:e7077a89901f62b2ef9559d7631d02c0
SHA1:204fb5dc840946279b429199e075164ed59aecae
SHA256:6e99f41ac17bbbcfbb0bcd6ea1f2b3a9c7b659981ff6da15ff24d44385d58f3b
Tags:exeuser-jstrosch
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Uses Windows timers to delay execution
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7720 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E7077A89901F62B2EF9559D7631D02C0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 81.2% probability
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009C449B GetFileAttributesW,FindFirstFileW,FindClose,5_2_009C449B
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_009CC7E8
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CC75D FindFirstFileW,FindClose,5_2_009CC75D
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_009CF021
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_009CF17E
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_009CF47F
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009C3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_009C3833
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009C3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_009C3B56
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_009CBD48
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009D2404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,5_2_009D2404
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009D407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,5_2_009D407C
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009D427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_009D427A
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009D407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,5_2_009D407C
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009C003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,5_2_009C003A
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009ECB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_009ECB26

System Summary

barindex
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\file.exeCode function: This is a third-party compiled AutoIt script.5_2_00963B4C
Source: file.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_180bf91c-4
Source: file.exe, 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_a27351e6-7
Source: file.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_81aa0bf0-6
Source: file.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_de2b9b68-f
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CA279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,5_2_009CA279
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009B88D9 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,5_2_009B88D9
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009C5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,5_2_009C5264
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0096E0605_2_0096E060
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009741405_2_00974140
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009823455_2_00982345
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009964525_2_00996452
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009E04655_2_009E0465
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009925AE5_2_009925AE
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0098277A5_2_0098277A
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009E08E25_2_009E08E2
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0096E8005_2_0096E800
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009768415_2_00976841
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009969C45_2_009969C4
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0099890F5_2_0099890F
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009C89325_2_009C8932
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009BE9285_2_009BE928
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009789685_2_00978968
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0098CCA15_2_0098CCA1
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00996F365_2_00996F36
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009770FE5_2_009770FE
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009731905_2_00973190
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009612875_2_00961287
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009833075_2_00983307
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0098F3595_2_0098F359
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009756805_2_00975680
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009816045_2_00981604
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009758C05_2_009758C0
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009878135_2_00987813
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00981AF85_2_00981AF8
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0098DAF55_2_0098DAF5
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00999C355_2_00999C35
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009E7E0D5_2_009E7E0D
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0096FE405_2_0096FE40
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00981F105_2_00981F10
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0098BF265_2_0098BF26
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00980C63 appears 70 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00988A80 appears 42 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00967F41 appears 35 times
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: mal52.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CA0F4 GetLastError,FormatMessageW,5_2_009CA0F4
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009B84F3 AdjustTokenPrivileges,CloseHandle,5_2_009B84F3
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009B8AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,5_2_009B8AA3
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CB3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,5_2_009CB3BF
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009DEF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_009DEF21
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009D84D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,5_2_009D84D0
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00964FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,5_2_00964FE9
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009DC104 LoadLibraryA,GetProcAddress,5_2_009DC104
Source: file.exeStatic PE information: real checksum: 0xcdca7 should be: 0xcee16
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00988AC5 push ecx; ret 5_2_00988AD8
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00964A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00964A35
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009E53DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_009E53DF
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00983307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00983307
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Uses Windows timers to delay execution
Source: C:\Users\user\Desktop\file.exeUser Timer Set: Timeout: 750msJump to behavior
Source: C:\Users\user\Desktop\file.exeUser Timer Set: Timeout: 750msJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 7529Jump to behavior
Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-99118
Source: C:\Users\user\Desktop\file.exeAPI coverage: 3.6 %
Source: C:\Users\user\Desktop\file.exe TID: 7724Thread sleep time: -75290s >= -30000sJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\file.exeThread sleep count: Count: 7529 delay: -10Jump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009C449B GetFileAttributesW,FindFirstFileW,FindClose,5_2_009C449B
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_009CC7E8
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CC75D FindFirstFileW,FindClose,5_2_009CC75D
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_009CF021
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_009CF17E
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_009CF47F
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009C3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_009C3833
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009C3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_009C3B56
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009CBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_009CBD48
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00964AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00964AFE
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009D401F BlockInput,5_2_009D401F
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00963B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00963B4C
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00995BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,5_2_00995BFC
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009DC104 LoadLibraryA,GetProcAddress,5_2_009DC104
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009B81D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_009B81D4
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0098A2A4 SetUnhandledExceptionFilter,5_2_0098A2A4
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0098A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0098A2D5
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009B8A73 LogonUserW,5_2_009B8A73
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00963B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00963B4C
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00964A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00964A35
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009C4CCE mouse_event,5_2_009C4CCE
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009B81D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_009B81D4
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009C4A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,5_2_009C4A08
Source: file.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exeBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009887AB cpuid 5_2_009887AB
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00995007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_00995007
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009A215F GetUserNameW,5_2_009A215F
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009940BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,5_2_009940BA
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_00964AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00964AFE
Source: file.exeBinary or memory string: WIN_81
Source: file.exeBinary or memory string: WIN_XP
Source: file.exeBinary or memory string: WIN_XPe
Source: file.exeBinary or memory string: WIN_VISTA
Source: file.exeBinary or memory string: WIN_7
Source: file.exeBinary or memory string: WIN_8
Source: file.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009D6399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,5_2_009D6399
Source: C:\Users\user\Desktop\file.exeCode function: 5_2_009D685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_009D685D

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure2
Valid Accounts		2
Native API		2
Valid Accounts		2
Valid Accounts		2
Valid Accounts		21
Input Capture		2
System Time Discovery		Remote Services21
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Exploitation for Privilege Escalation		12
Virtualization/Sandbox Evasion		LSASS Memory3
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
Access Token Manipulation		1
Disable or Modify Tools		Security Account Manager12
Virtualization/Sandbox Evasion		SMB/Windows Admin Shares3
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Process Injection		21
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Side-Loading		1
Process Injection		LSA Secrets11
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials1
Account Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Obfuscated Files or Information		DCSync1
System Owner/User Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc Filesystem1
File and Directory Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow15
System Information Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe3%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1522730
Start date and time:2024-09-30 16:10:18 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 22s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal52.evad.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 30
  • Number of non-executed functions: 298
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.6261976217667
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:842'752 bytes
MD5:e7077a89901f62b2ef9559d7631d02c0
SHA1:204fb5dc840946279b429199e075164ed59aecae
SHA256:6e99f41ac17bbbcfbb0bcd6ea1f2b3a9c7b659981ff6da15ff24d44385d58f3b
SHA512:65040856fe0092bdca034ce29db335166bea0c3c0fabd5bfd50a6c2c1358c61a69d57f3e8c347da1a831c6c2d1a4be7755edf6a085aa5a413b86e540bf64515b
SSDEEP:12288:DCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBgaxnIQ:DCdxte/80jYLT3U1jfsWaxnIQ
TLSH:6B058C2273DDC360CB769173BF6AB3016EBF78650630B85B2F880D79A950171266D7A3
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon

Icon Hash:6fc7393525311b07

Static PE Info

General

Entrypoint:0x427f4a
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:0x5A688B77 [Wed Jan 24 13:34:47 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F41ECDAE10Dh
jmp 00007F41ECDA0ED4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F41ECDA105Ah
cmp edi, eax
jc 00007F41ECDA13BEh
bt dword ptr [004C31FCh], 01h
jnc 00007F41ECDA1059h
rep movsb
jmp 00007F41ECDA136Ch
cmp ecx, 00000080h
jc 00007F41ECDA1224h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F41ECDA1060h
bt dword ptr [004BE324h], 01h
jc 00007F41ECDA1530h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F41ECDA11FDh
test edi, 00000003h
jne 00007F41ECDA120Eh
test esi, 00000003h
jne 00007F41ECDA11EDh
bt edi, 02h
jnc 00007F41ECDA105Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F41ECDA1063h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F41ECDA10B5h
bt esi, 03h

Rich Headers

Programming Language:
  • [ASM] VS2013 build 21005
  • [ C ] VS2013 build 21005
  • [C++] VS2013 build 21005
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729
  • [ASM] VS2013 UPD5 build 40629
  • [RES] VS2013 build 21005
  • [LNK] VS2013 UPD5 build 40629

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x527c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xcd0000x7130.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x8dd2e0x8de00c2c2260508750422d20cd5cbb116b146False0.5729952505506608data6.675875439961112IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x8f0000x2e10e0x2e2004513b58651e3d8d87c81a396e5b2f1d1False0.3353340955284553OpenPGP Public Key5.760731648769018IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xbe0000x8f740x5200c2de4a3d214eae7e87c7bfc06bd79775False0.1017530487804878data1.1988106744719143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0xc70000x527c0x5400ece5bb8ed3df4924bf49a7521412f64eFalse0.4761439732142857data5.284534349281216IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xcd0000x71300x72001254908a9a03d2bcf12045d49cd572b9False0.7703536184210527data6.782377328042204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0xc74b80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
RT_ICON0xc75e00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
RT_ICON0xc77080x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
RT_ICON0xc78300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688EnglishGreat Britain0.7169509594882729
RT_ICON0xc86d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishGreat Britain0.8253610108303249
RT_ICON0xc8f800x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishGreat Britain0.7579479768786127
RT_MENU0xc94e80x50dataEnglishGreat Britain0.9
RT_STRING0xc95380x594dataEnglishGreat Britain0.3333333333333333
RT_STRING0xc9acc0x68adataEnglishGreat Britain0.2747909199522103
RT_STRING0xca1580x490dataEnglishGreat Britain0.3715753424657534
RT_STRING0xca5e80x5fcdataEnglishGreat Britain0.3087467362924282
RT_STRING0xcabe40x65cdataEnglishGreat Britain0.34336609336609336
RT_STRING0xcb2400x466dataEnglishGreat Britain0.3605683836589698
RT_STRING0xcb6a80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
RT_RCDATA0xcb8000x404data1.0107003891050583
RT_GROUP_ICON0xcbc040x30dataEnglishGreat Britain0.9375
RT_GROUP_ICON0xcbc340x14dataEnglishGreat Britain1.25
RT_GROUP_ICON0xcbc480x14dataEnglishGreat Britain1.15
RT_GROUP_ICON0xcbc5c0x14dataEnglishGreat Britain1.25
RT_VERSION0xcbc700x21cdataEnglishGreat Britain0.5166666666666667
RT_MANIFEST0xcbe8c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

Imports

DLLImport
WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLLGetProcessMemoryInfo
IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dllIsThemeActive
KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishGreat Britain

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:5
Start time:10:11:09
Start date:30/09/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x960000
File size:842'752 bytes
MD5 hash:E7077A89901F62B2EF9559D7631D02C0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:2.2%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:4.7%
    Total number of Nodes:1433
    Total number of Limit Nodes:114
    execution_graph 97758 961016 97763 964ad2 97758->97763 97773 980f36 97763->97773 97765 964ada 97766 96101b 97765->97766 97783 964a94 97765->97783 97770 982ec0 97766->97770 97873 982dc4 97770->97873 97772 961025 97776 980f3e 97773->97776 97775 980f58 97775->97765 97776->97775 97778 980f5c std::exception::exception 97776->97778 97811 98588c 97776->97811 97828 983521 DecodePointer 97776->97828 97829 98871b RaiseException 97778->97829 97780 980f86 97830 988651 58 API calls _free 97780->97830 97782 980f98 97782->97765 97784 964aaf 97783->97784 97785 964a9d 97783->97785 97787 964afe 97784->97787 97786 982ec0 __cinit 67 API calls 97785->97786 97786->97784 97839 9677c7 97787->97839 97791 964b59 97796 964b86 97791->97796 97857 967e8c 97791->97857 97793 964b7a 97861 967886 97793->97861 97795 964bf1 GetCurrentProcess IsWow64Process 97797 964c0a 97795->97797 97796->97795 97800 99dbbd 97796->97800 97798 964c20 97797->97798 97799 964c89 GetSystemInfo 97797->97799 97853 964c95 97798->97853 97802 964c56 97799->97802 97802->97766 97804 964c32 97806 964c95 2 API calls 97804->97806 97805 964c7d GetSystemInfo 97807 964c47 97805->97807 97808 964c3a GetNativeSystemInfo 97806->97808 97807->97802 97809 964c4d FreeLibrary 97807->97809 97808->97807 97809->97802 97812 985907 97811->97812 97818 985898 97811->97818 97837 983521 DecodePointer 97812->97837 97814 98590d 97838 988ca8 58 API calls __getptd_noexit 97814->97838 97817 9858cb RtlAllocateHeap 97817->97818 97827 9858ff 97817->97827 97818->97817 97820 9858f3 97818->97820 97821 9858a3 97818->97821 97825 9858f1 97818->97825 97834 983521 DecodePointer 97818->97834 97835 988ca8 58 API calls __getptd_noexit 97820->97835 97821->97818 97831 98a2eb 58 API calls __NMSG_WRITE 97821->97831 97832 98a348 58 API calls 6 library calls 97821->97832 97833 98321f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97821->97833 97836 988ca8 58 API calls __getptd_noexit 97825->97836 97827->97776 97828->97776 97829->97780 97830->97782 97831->97821 97832->97821 97834->97818 97835->97825 97836->97827 97837->97814 97838->97827 97840 980f36 Mailbox 59 API calls 97839->97840 97841 9677e8 97840->97841 97842 980f36 Mailbox 59 API calls 97841->97842 97843 964b16 GetVersionExW 97842->97843 97844 967d2c 97843->97844 97845 967da5 97844->97845 97846 967d38 __wsetenvp 97844->97846 97847 967e8c 59 API calls 97845->97847 97849 967d73 97846->97849 97850 967d4e 97846->97850 97848 967d56 _memmove 97847->97848 97848->97791 97866 968189 97849->97866 97865 968087 59 API calls Mailbox 97850->97865 97854 964c2e 97853->97854 97855 964c9e LoadLibraryA 97853->97855 97854->97804 97854->97805 97855->97854 97856 964caf GetProcAddress 97855->97856 97856->97854 97858 967ea3 _memmove 97857->97858 97859 967e9a 97857->97859 97858->97793 97859->97858 97869 967faf 97859->97869 97862 967894 97861->97862 97863 967e8c 59 API calls 97862->97863 97864 9678a4 97863->97864 97864->97796 97865->97848 97867 980f36 Mailbox 59 API calls 97866->97867 97868 968193 97867->97868 97868->97848 97870 967fc2 97869->97870 97872 967fbf _memmove 97869->97872 97871 980f36 Mailbox 59 API calls 97870->97871 97871->97872 97872->97858 97874 982dd0 _fprintf 97873->97874 97881 983397 97874->97881 97880 982df7 _fprintf 97880->97772 97898 989d8b 97881->97898 97883 982dd9 97884 982e08 DecodePointer DecodePointer 97883->97884 97885 982e35 97884->97885 97886 982de5 97884->97886 97885->97886 97944 988924 59 API calls 2 library calls 97885->97944 97895 982e02 97886->97895 97888 982e98 EncodePointer EncodePointer 97888->97886 97889 982e6c 97889->97886 97893 982e86 EncodePointer 97889->97893 97946 9889e4 61 API calls 2 library calls 97889->97946 97890 982e47 97890->97888 97890->97889 97945 9889e4 61 API calls 2 library calls 97890->97945 97893->97888 97894 982e80 97894->97886 97894->97893 97947 9833a0 97895->97947 97899 989d9c 97898->97899 97900 989daf EnterCriticalSection 97898->97900 97905 989e13 97899->97905 97900->97883 97902 989da2 97902->97900 97929 983235 58 API calls 3 library calls 97902->97929 97906 989e1f _fprintf 97905->97906 97907 989e28 97906->97907 97908 989e40 97906->97908 97930 98a2eb 58 API calls __NMSG_WRITE 97907->97930 97920 989e61 _fprintf 97908->97920 97933 98899d 58 API calls __malloc_crt 97908->97933 97910 989e2d 97931 98a348 58 API calls 6 library calls 97910->97931 97913 989e55 97914 989e6b 97913->97914 97915 989e5c 97913->97915 97918 989d8b __lock 58 API calls 97914->97918 97934 988ca8 58 API calls __getptd_noexit 97915->97934 97916 989e34 97932 98321f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97916->97932 97921 989e72 97918->97921 97920->97902 97923 989e7f 97921->97923 97924 989e97 97921->97924 97935 989fab InitializeCriticalSectionAndSpinCount 97923->97935 97936 982ed5 97924->97936 97927 989e8b 97942 989eb3 LeaveCriticalSection _doexit 97927->97942 97930->97910 97931->97916 97933->97913 97934->97920 97935->97927 97937 982f07 __dosmaperr 97936->97937 97938 982ede RtlFreeHeap 97936->97938 97937->97927 97938->97937 97939 982ef3 97938->97939 97943 988ca8 58 API calls __getptd_noexit 97939->97943 97941 982ef9 GetLastError 97941->97937 97942->97920 97943->97941 97944->97890 97945->97889 97946->97894 97950 989ef5 LeaveCriticalSection 97947->97950 97949 982e07 97949->97880 97950->97949 97951 961066 97956 96f8cf 97951->97956 97953 96106c 97954 982ec0 __cinit 67 API calls 97953->97954 97955 961076 97954->97955 97957 96f8f0 97956->97957 97989 980083 97957->97989 97961 96f937 97962 9677c7 59 API calls 97961->97962 97963 96f941 97962->97963 97964 9677c7 59 API calls 97963->97964 97965 96f94b 97964->97965 97966 9677c7 59 API calls 97965->97966 97967 96f955 97966->97967 97968 9677c7 59 API calls 97967->97968 97969 96f993 97968->97969 97970 9677c7 59 API calls 97969->97970 97971 96fa5e 97970->97971 97999 9760e7 97971->97999 97975 96fa90 97976 9677c7 59 API calls 97975->97976 97977 96fa9a 97976->97977 98027 97ff1e 97977->98027 97979 96fae1 97980 96faf1 GetStdHandle 97979->97980 97981 96fb3d 97980->97981 97982 9a4904 97980->97982 97983 96fb45 OleInitialize 97981->97983 97982->97981 97984 9a490d 97982->97984 97983->97953 98034 9c6be1 64 API calls Mailbox 97984->98034 97986 9a4914 98035 9c72b0 CreateThread 97986->98035 97988 9a4920 CloseHandle 97988->97983 98036 98015c 97989->98036 97992 98015c 59 API calls 97993 9800c5 97992->97993 97994 9677c7 59 API calls 97993->97994 97995 9800d1 97994->97995 97996 967d2c 59 API calls 97995->97996 97997 96f8f6 97996->97997 97998 9802e2 6 API calls 97997->97998 97998->97961 98000 9677c7 59 API calls 97999->98000 98001 9760f7 98000->98001 98002 9677c7 59 API calls 98001->98002 98003 9760ff 98002->98003 98043 975bfd 98003->98043 98006 975bfd 59 API calls 98007 97610f 98006->98007 98008 9677c7 59 API calls 98007->98008 98009 97611a 98008->98009 98010 980f36 Mailbox 59 API calls 98009->98010 98011 96fa68 98010->98011 98012 976259 98011->98012 98013 976267 98012->98013 98014 9677c7 59 API calls 98013->98014 98015 976272 98014->98015 98016 9677c7 59 API calls 98015->98016 98017 97627d 98016->98017 98018 9677c7 59 API calls 98017->98018 98019 976288 98018->98019 98020 9677c7 59 API calls 98019->98020 98021 976293 98020->98021 98022 975bfd 59 API calls 98021->98022 98023 97629e 98022->98023 98024 980f36 Mailbox 59 API calls 98023->98024 98025 9762a5 RegisterWindowMessageW 98024->98025 98025->97975 98028 97ff2e 98027->98028 98029 9b5ac5 98027->98029 98030 980f36 Mailbox 59 API calls 98028->98030 98046 9c9b90 60 API calls 98029->98046 98032 97ff36 98030->98032 98032->97979 98033 9b5ad0 98034->97986 98035->97988 98047 9c7296 65 API calls 98035->98047 98037 9677c7 59 API calls 98036->98037 98038 980167 98037->98038 98039 9677c7 59 API calls 98038->98039 98040 98016f 98039->98040 98041 9677c7 59 API calls 98040->98041 98042 9800bb 98041->98042 98042->97992 98044 9677c7 59 API calls 98043->98044 98045 975c05 98044->98045 98045->98006 98046->98033 98048 961055 98053 962649 98048->98053 98051 982ec0 __cinit 67 API calls 98052 961064 98051->98052 98054 9677c7 59 API calls 98053->98054 98055 9626b7 98054->98055 98060 963582 98055->98060 98058 962754 98059 96105a 98058->98059 98063 963416 59 API calls 2 library calls 98058->98063 98059->98051 98064 9635b0 98060->98064 98063->98058 98065 9635a1 98064->98065 98066 9635bd 98064->98066 98065->98058 98066->98065 98067 9635c4 RegOpenKeyExW 98066->98067 98067->98065 98068 9635de RegQueryValueExW 98067->98068 98069 963614 RegCloseKey 98068->98069 98070 9635ff 98068->98070 98069->98065 98070->98069 98071 963633 98072 96366a 98071->98072 98073 9636e7 98072->98073 98074 963688 98072->98074 98112 9636e5 98072->98112 98078 99d24c 98073->98078 98079 9636ed 98073->98079 98075 963695 98074->98075 98076 96375d PostQuitMessage 98074->98076 98080 99d2bf 98075->98080 98081 9636a0 98075->98081 98106 9636d8 98076->98106 98077 9636ca DefWindowProcW 98077->98106 98127 9711d0 10 API calls Mailbox 98078->98127 98083 963715 SetTimer RegisterWindowMessageW 98079->98083 98084 9636f2 98079->98084 98142 9c281f 71 API calls _memset 98080->98142 98087 963767 98081->98087 98088 9636a8 98081->98088 98089 96373e CreatePopupMenu I_RpcFreeBuffer 98083->98089 98083->98106 98085 99d1ef 98084->98085 98086 9636f9 KillTimer 98084->98086 98099 99d228 MoveWindow 98085->98099 98100 99d1f4 98085->98100 98123 9644cb Shell_NotifyIconW _memset 98086->98123 98116 964531 98087->98116 98093 9636b3 98088->98093 98094 99d2a4 98088->98094 98095 96374b 98089->98095 98091 99d273 98128 9711f3 255 API calls Mailbox 98091->98128 98093->98095 98104 9636be 98093->98104 98094->98077 98141 9b7f5e 59 API calls Mailbox 98094->98141 98125 9645df 81 API calls _memset 98095->98125 98096 99d2d1 98096->98077 98096->98106 98099->98106 98101 99d1f8 98100->98101 98102 99d217 SetFocus 98100->98102 98101->98104 98107 99d201 98101->98107 98102->98106 98103 96370c 98124 963114 DeleteObject DestroyWindow Mailbox 98103->98124 98104->98077 98129 9644cb Shell_NotifyIconW _memset 98104->98129 98126 9711d0 10 API calls Mailbox 98107->98126 98110 96375b 98110->98106 98112->98077 98114 99d298 98130 9643db 98114->98130 98117 9645ca 98116->98117 98118 964548 _memset 98116->98118 98117->98106 98143 96410d 98118->98143 98120 9645b3 KillTimer SetTimer 98120->98117 98121 96456f 98121->98120 98122 99d5f0 Shell_NotifyIconW 98121->98122 98122->98120 98123->98103 98124->98106 98125->98110 98126->98106 98127->98091 98128->98104 98129->98114 98131 964406 _memset 98130->98131 98189 964213 98131->98189 98134 96448b 98136 9644a5 Shell_NotifyIconW 98134->98136 98137 9644c1 Shell_NotifyIconW 98134->98137 98138 9644b3 98136->98138 98137->98138 98139 96410d 61 API calls 98138->98139 98140 9644ba 98139->98140 98140->98112 98141->98112 98142->98096 98144 964129 98143->98144 98164 964200 Mailbox 98143->98164 98165 967b76 98144->98165 98147 964144 98149 967d2c 59 API calls 98147->98149 98148 99d50d LoadStringW 98151 99d527 98148->98151 98150 964159 98149->98150 98150->98151 98152 96416a 98150->98152 98175 967c8e 59 API calls Mailbox 98151->98175 98154 964174 98152->98154 98155 964205 98152->98155 98170 967c8e 59 API calls Mailbox 98154->98170 98171 9681a7 98155->98171 98158 99d531 98161 96417e _memset _wcscpy 98158->98161 98176 967e0b 98158->98176 98160 99d553 98162 967e0b 59 API calls 98160->98162 98163 9641e6 Shell_NotifyIconW 98161->98163 98162->98161 98163->98164 98164->98121 98166 980f36 Mailbox 59 API calls 98165->98166 98167 967b9b 98166->98167 98168 968189 59 API calls 98167->98168 98169 964137 98168->98169 98169->98147 98169->98148 98170->98161 98172 9681b2 98171->98172 98173 9681ba 98171->98173 98183 9680d7 59 API calls 2 library calls 98172->98183 98173->98161 98175->98158 98177 967e1f 98176->98177 98178 99f0a3 98176->98178 98184 967db0 98177->98184 98180 968189 59 API calls 98178->98180 98182 99f0ae __wsetenvp _memmove 98180->98182 98181 967e2a 98181->98160 98183->98173 98185 967dbf __wsetenvp 98184->98185 98186 968189 59 API calls 98185->98186 98187 967dd0 _memmove 98185->98187 98188 99f060 _memmove 98186->98188 98187->98181 98190 99d568 98189->98190 98191 964227 98189->98191 98190->98191 98192 99d571 DestroyIcon 98190->98192 98191->98134 98193 9c302e 62 API calls _W_store_winword 98191->98193 98192->98191 98193->98134 98194 9c8db6 98195 9c8dc9 98194->98195 98196 9c8dc3 98194->98196 98198 9c8dda 98195->98198 98199 982ed5 _free 58 API calls 98195->98199 98197 982ed5 _free 58 API calls 98196->98197 98197->98195 98200 982ed5 _free 58 API calls 98198->98200 98201 9c8dec 98198->98201 98199->98198 98200->98201 98202 987dd3 98203 987ddf _fprintf 98202->98203 98239 989f88 GetStartupInfoW 98203->98239 98205 987de4 98241 988cfc GetProcessHeap 98205->98241 98207 987e3c 98208 987e47 98207->98208 98324 987f23 58 API calls 3 library calls 98207->98324 98242 989c66 98208->98242 98211 987e4d 98212 987e58 __RTC_Initialize 98211->98212 98325 987f23 58 API calls 3 library calls 98211->98325 98263 98d752 98212->98263 98215 987e67 98216 987e73 GetCommandLineW 98215->98216 98326 987f23 58 API calls 3 library calls 98215->98326 98282 9950a3 GetEnvironmentStringsW 98216->98282 98219 987e72 98219->98216 98222 987e8d 98223 987e98 98222->98223 98327 983235 58 API calls 3 library calls 98222->98327 98292 994ed8 98223->98292 98226 987e9e 98227 987ea9 98226->98227 98328 983235 58 API calls 3 library calls 98226->98328 98306 98326f 98227->98306 98230 987eb1 98232 987ebc __wwincmdln 98230->98232 98329 983235 58 API calls 3 library calls 98230->98329 98312 96492e 98232->98312 98234 987ed0 98235 987edf 98234->98235 98330 9834d8 58 API calls _doexit 98234->98330 98331 983260 58 API calls _doexit 98235->98331 98238 987ee4 _fprintf 98240 989f9e 98239->98240 98240->98205 98241->98207 98332 983307 36 API calls 2 library calls 98242->98332 98244 989c6b 98333 989ebc InitializeCriticalSectionAndSpinCount __mtinitlocknum 98244->98333 98246 989c70 98247 989c74 98246->98247 98335 989f0a TlsAlloc 98246->98335 98334 989cdc 61 API calls 2 library calls 98247->98334 98250 989c79 98250->98211 98251 989c86 98251->98247 98252 989c91 98251->98252 98336 988955 98252->98336 98255 989cd3 98344 989cdc 61 API calls 2 library calls 98255->98344 98258 989cb2 98258->98255 98260 989cb8 98258->98260 98259 989cd8 98259->98211 98343 989bb3 58 API calls 4 library calls 98260->98343 98262 989cc0 GetCurrentThreadId 98262->98211 98264 98d75e _fprintf 98263->98264 98265 989d8b __lock 58 API calls 98264->98265 98266 98d765 98265->98266 98267 988955 __calloc_crt 58 API calls 98266->98267 98268 98d776 98267->98268 98269 98d7e1 GetStartupInfoW 98268->98269 98270 98d781 @_EH4_CallFilterFunc@8 _fprintf 98268->98270 98276 98d7f6 98269->98276 98277 98d925 98269->98277 98270->98215 98271 98d9ed 98358 98d9fd LeaveCriticalSection _doexit 98271->98358 98273 988955 __calloc_crt 58 API calls 98273->98276 98274 98d972 GetStdHandle 98274->98277 98275 98d985 GetFileType 98275->98277 98276->98273 98276->98277 98279 98d844 98276->98279 98277->98271 98277->98274 98277->98275 98357 989fab InitializeCriticalSectionAndSpinCount 98277->98357 98278 98d878 GetFileType 98278->98279 98279->98277 98279->98278 98356 989fab InitializeCriticalSectionAndSpinCount 98279->98356 98283 987e83 98282->98283 98284 9950b4 98282->98284 98288 994c9b GetModuleFileNameW 98283->98288 98359 98899d 58 API calls __malloc_crt 98284->98359 98286 9950da _memmove 98287 9950f0 FreeEnvironmentStringsW 98286->98287 98287->98283 98289 994ccf _wparse_cmdline 98288->98289 98291 994d0f _wparse_cmdline 98289->98291 98360 98899d 58 API calls __malloc_crt 98289->98360 98291->98222 98293 994ee9 98292->98293 98294 994ef1 __wsetenvp 98292->98294 98293->98226 98295 988955 __calloc_crt 58 API calls 98294->98295 98302 994f1a __wsetenvp 98295->98302 98296 994f71 98297 982ed5 _free 58 API calls 98296->98297 98297->98293 98298 988955 __calloc_crt 58 API calls 98298->98302 98299 994f96 98300 982ed5 _free 58 API calls 98299->98300 98300->98293 98302->98293 98302->98296 98302->98298 98302->98299 98303 994fad 98302->98303 98361 994787 58 API calls 2 library calls 98302->98361 98362 988f46 IsProcessorFeaturePresent 98303->98362 98305 994fb9 98305->98226 98307 98327b __IsNonwritableInCurrentImage 98306->98307 98385 98a651 98307->98385 98309 983299 __initterm_e 98310 982ec0 __cinit 67 API calls 98309->98310 98311 9832b8 __cinit __IsNonwritableInCurrentImage 98309->98311 98310->98311 98311->98230 98313 964948 98312->98313 98323 9649e7 98312->98323 98314 964982 IsThemeActive 98313->98314 98388 9834ec 98314->98388 98318 9649ae 98400 964a5b SystemParametersInfoW SystemParametersInfoW 98318->98400 98320 9649ba 98401 963b4c 98320->98401 98322 9649c2 SystemParametersInfoW 98322->98323 98323->98234 98324->98208 98325->98212 98326->98219 98330->98235 98331->98238 98332->98244 98333->98246 98334->98250 98335->98251 98338 98895c 98336->98338 98339 988997 98338->98339 98341 98897a 98338->98341 98345 995376 98338->98345 98339->98255 98342 989f66 TlsSetValue 98339->98342 98341->98338 98341->98339 98353 98a2b2 Sleep 98341->98353 98342->98258 98343->98262 98344->98259 98346 995381 98345->98346 98350 99539c 98345->98350 98347 99538d 98346->98347 98346->98350 98354 988ca8 58 API calls __getptd_noexit 98347->98354 98349 9953ac HeapAlloc 98349->98350 98351 995392 98349->98351 98350->98349 98350->98351 98355 983521 DecodePointer 98350->98355 98351->98338 98353->98341 98354->98351 98355->98350 98356->98279 98357->98277 98358->98270 98359->98286 98360->98291 98361->98302 98363 988f51 98362->98363 98368 988dd9 98363->98368 98367 988f6c 98367->98305 98369 988df3 _memset ___raise_securityfailure 98368->98369 98370 988e13 IsDebuggerPresent 98369->98370 98376 98a2d5 SetUnhandledExceptionFilter UnhandledExceptionFilter 98370->98376 98373 988ed7 ___raise_securityfailure 98377 98c776 98373->98377 98374 988efa 98375 98a2c0 GetCurrentProcess TerminateProcess 98374->98375 98375->98367 98376->98373 98378 98c77e 98377->98378 98379 98c780 IsProcessorFeaturePresent 98377->98379 98378->98374 98381 995a8a 98379->98381 98384 995a39 5 API calls ___raise_securityfailure 98381->98384 98383 995b6d 98383->98374 98384->98383 98386 98a654 EncodePointer 98385->98386 98386->98386 98387 98a66e 98386->98387 98387->98309 98389 989d8b __lock 58 API calls 98388->98389 98390 9834f7 DecodePointer EncodePointer 98389->98390 98453 989ef5 LeaveCriticalSection 98390->98453 98392 9649a7 98393 983554 98392->98393 98394 983578 98393->98394 98395 98355e 98393->98395 98394->98318 98395->98394 98454 988ca8 58 API calls __getptd_noexit 98395->98454 98397 983568 98455 988f36 9 API calls __fptostr 98397->98455 98399 983573 98399->98318 98400->98320 98402 963b59 __write_nolock 98401->98402 98403 9677c7 59 API calls 98402->98403 98404 963b63 GetCurrentDirectoryW 98403->98404 98456 963778 98404->98456 98406 963b8c IsDebuggerPresent 98407 99d3dd MessageBoxA 98406->98407 98408 963b9a 98406->98408 98410 99d3f7 98407->98410 98408->98410 98411 963bb7 98408->98411 98439 963c73 98408->98439 98409 963c7a SetCurrentDirectoryW 98413 963c87 Mailbox 98409->98413 98656 967373 59 API calls Mailbox 98410->98656 98537 9673e5 98411->98537 98413->98322 98415 99d407 98420 99d41d SetCurrentDirectoryW 98415->98420 98417 963bd5 GetFullPathNameW 98418 967d2c 59 API calls 98417->98418 98419 963c10 98418->98419 98553 970a8d 98419->98553 98420->98413 98423 963c2e 98424 963c38 98423->98424 98657 9c4a08 AllocateAndInitializeSid CheckTokenMembership FreeSid 98423->98657 98569 963a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98424->98569 98427 99d43a 98427->98424 98430 99d44b 98427->98430 98658 964864 98430->98658 98431 963c42 98433 963c55 98431->98433 98436 9643db 68 API calls 98431->98436 98577 970b30 98433->98577 98435 99d453 98665 967f41 98435->98665 98436->98433 98437 963c60 98437->98439 98655 9644cb Shell_NotifyIconW _memset 98437->98655 98439->98409 98440 99d460 98442 99d46a 98440->98442 98443 99d48f 98440->98443 98445 967e0b 59 API calls 98442->98445 98444 967e0b 59 API calls 98443->98444 98447 99d48b GetForegroundWindow ShellExecuteW 98444->98447 98446 99d475 98445->98446 98669 967c8e 59 API calls Mailbox 98446->98669 98451 99d4bf Mailbox 98447->98451 98450 99d482 98452 967e0b 59 API calls 98450->98452 98451->98439 98452->98447 98453->98392 98454->98397 98455->98399 98457 9677c7 59 API calls 98456->98457 98458 96378e 98457->98458 98670 963d43 98458->98670 98460 9637ac 98461 964864 61 API calls 98460->98461 98462 9637c0 98461->98462 98463 967f41 59 API calls 98462->98463 98464 9637cd 98463->98464 98684 964f3d 98464->98684 98467 99d2de 98751 9c9604 98467->98751 98468 9637ee Mailbox 98471 9681a7 59 API calls 98468->98471 98474 963801 98471->98474 98472 99d2fd 98473 982ed5 _free 58 API calls 98472->98473 98476 99d30a 98473->98476 98708 9693ea 98474->98708 98478 964faa 84 API calls 98476->98478 98480 99d313 98478->98480 98484 963ee2 59 API calls 98480->98484 98481 967f41 59 API calls 98482 96381a 98481->98482 98711 968620 98482->98711 98486 99d32e 98484->98486 98485 96382c Mailbox 98487 967f41 59 API calls 98485->98487 98488 963ee2 59 API calls 98486->98488 98489 963852 98487->98489 98490 99d34a 98488->98490 98491 968620 69 API calls 98489->98491 98492 964864 61 API calls 98490->98492 98495 963861 Mailbox 98491->98495 98493 99d36f 98492->98493 98494 963ee2 59 API calls 98493->98494 98496 99d37b 98494->98496 98497 9677c7 59 API calls 98495->98497 98498 9681a7 59 API calls 98496->98498 98499 96387f 98497->98499 98500 99d389 98498->98500 98715 963ee2 98499->98715 98502 963ee2 59 API calls 98500->98502 98504 99d398 98502->98504 98510 9681a7 59 API calls 98504->98510 98506 963899 98506->98480 98507 9638a3 98506->98507 98508 98307d _W_store_winword 60 API calls 98507->98508 98509 9638ae 98508->98509 98509->98486 98511 9638b8 98509->98511 98512 99d3ba 98510->98512 98513 98307d _W_store_winword 60 API calls 98511->98513 98514 963ee2 59 API calls 98512->98514 98515 9638c3 98513->98515 98517 99d3c7 98514->98517 98515->98490 98516 9638cd 98515->98516 98518 98307d _W_store_winword 60 API calls 98516->98518 98517->98517 98519 9638d8 98518->98519 98519->98504 98520 963919 98519->98520 98522 963ee2 59 API calls 98519->98522 98520->98504 98521 963926 98520->98521 98731 96942e 98521->98731 98523 9638fc 98522->98523 98525 9681a7 59 API calls 98523->98525 98527 96390a 98525->98527 98530 963ee2 59 API calls 98527->98530 98530->98520 98532 9693ea 59 API calls 98534 963961 98532->98534 98533 969040 60 API calls 98533->98534 98534->98532 98534->98533 98535 963ee2 59 API calls 98534->98535 98536 9639a7 Mailbox 98534->98536 98535->98534 98536->98406 98538 9673f2 __write_nolock 98537->98538 98539 96740b 98538->98539 98541 99ed7b _memset 98538->98541 99256 9648ae 98539->99256 98543 99ed97 GetOpenFileNameW 98541->98543 98545 99ede6 98543->98545 98546 967d2c 59 API calls 98545->98546 98548 99edfb 98546->98548 98548->98548 98550 967429 99284 9669ca 98550->99284 98554 970a9a __write_nolock 98553->98554 99468 966ee0 98554->99468 98556 970a9f 98568 963c26 98556->98568 99479 9712fe 87 API calls 98556->99479 98558 970aac 98558->98568 99480 974047 89 API calls Mailbox 98558->99480 98560 970ab5 98561 970ab9 GetFullPathNameW 98560->98561 98560->98568 98562 967d2c 59 API calls 98561->98562 98563 970ae5 98562->98563 98564 967d2c 59 API calls 98563->98564 98565 970af2 98564->98565 98566 9a5004 _wcscat 98565->98566 98567 967d2c 59 API calls 98565->98567 98567->98568 98568->98415 98568->98423 98570 963ac2 LoadImageW RegisterClassExW 98569->98570 98571 99d3cc 98569->98571 99485 963041 7 API calls 98570->99485 99486 9648fe LoadImageW EnumResourceNamesW 98571->99486 98574 963b46 98576 9639e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98574->98576 98575 99d3d5 98576->98431 98578 9a501c 98577->98578 98590 970b55 98577->98590 99515 9c9ed4 87 API calls 4 library calls 98578->99515 98580 970e5a 98580->98437 98582 971044 98582->98580 98584 971051 98582->98584 99513 9711f3 255 API calls Mailbox 98584->99513 98585 970bab PeekMessageW 98654 970b65 Mailbox 98585->98654 98588 971058 LockWindowUpdate DestroyWindow GetMessageW 98588->98580 98592 97108a 98588->98592 98589 970e44 98589->98580 99512 9711d0 10 API calls Mailbox 98589->99512 98590->98654 99516 969fbd 60 API calls 98590->99516 99517 9b669f 255 API calls 98590->99517 98591 9a51da Sleep 98591->98654 98594 9a5fb1 TranslateMessage DispatchMessageW GetMessageW 98592->98594 98594->98594 98595 9a5fe1 98594->98595 98595->98580 98596 971005 TranslateMessage DispatchMessageW 98597 970fa3 PeekMessageW 98596->98597 98597->98654 98598 9a50a9 TranslateAcceleratorW 98598->98597 98598->98654 98599 980f36 59 API calls Mailbox 98599->98654 98600 970e73 timeGetTime 98600->98654 98601 9a5b78 WaitForSingleObject 98606 9a5b95 GetExitCodeProcess CloseHandle 98601->98606 98601->98654 98603 970fbf Sleep 98603->98654 98604 9681a7 59 API calls 98604->98654 98605 9677c7 59 API calls 98638 9a53bc Mailbox 98605->98638 98639 9710f5 98606->98639 98607 9a5e51 Sleep 98607->98638 98610 96b89c 228 API calls 98610->98654 98613 9710ae timeGetTime 99514 969fbd 60 API calls 98613->99514 98616 9a5ee8 GetExitCodeProcess 98621 9a5efe WaitForSingleObject 98616->98621 98622 9a5f14 CloseHandle 98616->98622 98619 9e5f8e 108 API calls 98619->98638 98620 96b93d 107 API calls 98620->98654 98621->98622 98621->98654 98622->98638 98624 9a5bcd 98624->98639 98625 969fbd 60 API calls 98625->98654 98626 9a5f70 Sleep 98626->98654 98627 9a53d1 Sleep 98627->98654 98630 967f41 59 API calls 98630->98638 98634 96a000 228 API calls 98634->98654 98638->98605 98638->98616 98638->98619 98638->98624 98638->98626 98638->98627 98638->98630 98638->98654 99525 9c2700 60 API calls 98638->99525 99526 969fbd 60 API calls 98638->99526 99527 968b13 69 API calls Mailbox 98638->99527 99528 96b89c 255 API calls 98638->99528 99529 9b6830 60 API calls 98638->99529 99530 9c52eb QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98638->99530 99531 98034a timeGetTime 98638->99531 99532 9c3c99 66 API calls Mailbox 98638->99532 98639->98437 98642 9c9ed4 87 API calls 98642->98654 98643 969df0 59 API calls Mailbox 98643->98654 98644 968620 69 API calls 98644->98654 98645 9b63f2 59 API calls Mailbox 98645->98654 98647 967f41 59 API calls 98647->98654 98648 968b13 69 API calls 98648->98654 98649 9a592e VariantClear 98649->98654 98650 968e34 59 API calls Mailbox 98650->98654 98651 9a59c4 VariantClear 98651->98654 98652 9a5772 VariantClear 98652->98654 98653 9b71e5 59 API calls 98653->98654 98654->98585 98654->98589 98654->98591 98654->98596 98654->98597 98654->98598 98654->98599 98654->98600 98654->98601 98654->98603 98654->98604 98654->98607 98654->98610 98654->98613 98654->98620 98654->98625 98654->98634 98654->98638 98654->98639 98654->98642 98654->98643 98654->98644 98654->98645 98654->98647 98654->98648 98654->98649 98654->98650 98654->98651 98654->98652 98654->98653 99487 96f5c0 98654->99487 99503 9631ce 98654->99503 99508 96e580 255 API calls 98654->99508 99509 96e800 255 API calls 2 library calls 98654->99509 99510 96fe40 255 API calls 2 library calls 98654->99510 99511 98034a timeGetTime 98654->99511 99518 9e6081 59 API calls 98654->99518 99519 9c9abe 59 API calls Mailbox 98654->99519 99520 9bd801 59 API calls 98654->99520 99521 969997 82 API calls 5 library calls 98654->99521 99522 9b6363 59 API calls 2 library calls 98654->99522 99523 968561 59 API calls 98654->99523 99524 96843f 59 API calls Mailbox 98654->99524 98655->98439 98656->98415 98657->98427 98659 991ac0 __write_nolock 98658->98659 98660 964871 GetModuleFileNameW 98659->98660 98661 967f41 59 API calls 98660->98661 98662 964897 98661->98662 98663 9648ae 60 API calls 98662->98663 98664 9648a1 Mailbox 98663->98664 98664->98435 98666 967f50 __wsetenvp _memmove 98665->98666 98667 980f36 Mailbox 59 API calls 98666->98667 98668 967f8e 98667->98668 98668->98440 98669->98450 98671 963d50 __write_nolock 98670->98671 98672 967d2c 59 API calls 98671->98672 98678 963eb6 Mailbox 98671->98678 98674 963d82 98672->98674 98683 963db8 Mailbox 98674->98683 98792 967b52 98674->98792 98675 967b52 59 API calls 98675->98683 98676 963e89 98677 967f41 59 API calls 98676->98677 98676->98678 98680 963eaa 98677->98680 98678->98460 98679 967f41 59 API calls 98679->98683 98681 963f84 59 API calls 98680->98681 98681->98678 98683->98675 98683->98676 98683->98678 98683->98679 98795 963f84 98683->98795 98801 964d13 98684->98801 98689 99dc3f 98692 964faa 84 API calls 98689->98692 98690 964f68 LoadLibraryExW 98811 964cc8 98690->98811 98694 99dc46 98692->98694 98695 964cc8 3 API calls 98694->98695 98697 99dc4e 98695->98697 98837 96506b 98697->98837 98698 964f8f 98698->98697 98699 964f9b 98698->98699 98701 964faa 84 API calls 98699->98701 98703 9637e6 98701->98703 98703->98467 98703->98468 98705 99dc75 98845 965027 98705->98845 98707 99dc82 98709 980f36 Mailbox 59 API calls 98708->98709 98710 96380d 98709->98710 98710->98481 98712 96862b 98711->98712 98713 968652 98712->98713 99099 968b13 69 API calls Mailbox 98712->99099 98713->98485 98716 963f05 98715->98716 98717 963eec 98715->98717 98719 967d2c 59 API calls 98716->98719 98718 9681a7 59 API calls 98717->98718 98720 96388b 98718->98720 98719->98720 98721 98307d 98720->98721 98722 983089 98721->98722 98723 9830fe 98721->98723 98730 9830ae 98722->98730 99100 988ca8 58 API calls __getptd_noexit 98722->99100 99102 983110 60 API calls 4 library calls 98723->99102 98726 98310b 98726->98506 98727 983095 99101 988f36 9 API calls __fptostr 98727->99101 98729 9830a0 98729->98506 98730->98506 98732 969436 98731->98732 98733 980f36 Mailbox 59 API calls 98732->98733 98734 969444 98733->98734 98735 963936 98734->98735 99103 96935c 59 API calls Mailbox 98734->99103 98737 9691b0 98735->98737 99104 9692c0 98737->99104 98739 980f36 Mailbox 59 API calls 98741 963944 98739->98741 98740 9691bf 98740->98739 98740->98741 98742 969040 98741->98742 98743 99f4d5 98742->98743 98745 969057 98742->98745 98743->98745 99114 968d3b 59 API calls Mailbox 98743->99114 98746 96915f 98745->98746 98747 9691a0 98745->98747 98748 969158 98745->98748 98746->98534 99113 969e9c 60 API calls Mailbox 98747->99113 98750 980f36 Mailbox 59 API calls 98748->98750 98750->98746 98752 965045 85 API calls 98751->98752 98753 9c9673 98752->98753 99115 9c97dd 98753->99115 98756 96506b 74 API calls 98757 9c96a0 98756->98757 98758 96506b 74 API calls 98757->98758 98759 9c96b0 98758->98759 98760 96506b 74 API calls 98759->98760 98761 9c96cb 98760->98761 98762 96506b 74 API calls 98761->98762 98763 9c96e6 98762->98763 98764 965045 85 API calls 98763->98764 98765 9c96fd 98764->98765 98766 98588c __malloc_crt 58 API calls 98765->98766 98767 9c9704 98766->98767 98768 98588c __malloc_crt 58 API calls 98767->98768 98769 9c970e 98768->98769 98770 96506b 74 API calls 98769->98770 98771 9c9722 98770->98771 98772 9c91b2 GetSystemTimeAsFileTime 98771->98772 98773 9c9735 98772->98773 98774 9c975f 98773->98774 98775 9c974a 98773->98775 98777 9c97c4 98774->98777 98778 9c9765 98774->98778 98776 982ed5 _free 58 API calls 98775->98776 98781 9c9750 98776->98781 98780 982ed5 _free 58 API calls 98777->98780 99121 9c8baf 116 API calls __fcloseall 98778->99121 98785 99d2f1 98780->98785 98783 982ed5 _free 58 API calls 98781->98783 98782 9c97bc 98784 982ed5 _free 58 API calls 98782->98784 98783->98785 98784->98785 98785->98472 98786 964faa 98785->98786 98787 964fb4 98786->98787 98788 964fbb 98786->98788 99122 985516 98787->99122 98790 964fca 98788->98790 98791 964fdb FreeLibrary 98788->98791 98790->98472 98791->98790 98793 967faf 59 API calls 98792->98793 98794 967b5d 98793->98794 98794->98674 98796 963f92 98795->98796 98800 963fb4 _memmove 98795->98800 98798 980f36 Mailbox 59 API calls 98796->98798 98797 980f36 Mailbox 59 API calls 98799 963fc8 98797->98799 98798->98800 98799->98683 98800->98797 98850 964d61 98801->98850 98804 964d61 2 API calls 98807 964d3a 98804->98807 98805 964d53 98808 9853cb 98805->98808 98806 964d4a FreeLibrary 98806->98805 98807->98805 98807->98806 98854 9853e0 98808->98854 98810 964f5c 98810->98689 98810->98690 99014 964d94 98811->99014 98814 964ced 98815 964cff FreeLibrary 98814->98815 98816 964d08 98814->98816 98815->98816 98818 964dd0 98816->98818 98817 964d94 2 API calls 98817->98814 98819 980f36 Mailbox 59 API calls 98818->98819 98820 964de5 98819->98820 99018 96538e 98820->99018 98822 964df1 _memmove 98823 964e2c 98822->98823 98824 964f21 98822->98824 98825 964ee9 98822->98825 98826 965027 69 API calls 98823->98826 99032 9c99c4 95 API calls 98824->99032 99021 964fe9 CreateStreamOnHGlobal 98825->99021 98830 964e35 98826->98830 98829 96506b 74 API calls 98829->98830 98830->98829 98832 964ec9 98830->98832 98833 99dc00 98830->98833 99027 965045 98830->99027 98832->98698 98834 965045 85 API calls 98833->98834 98835 99dc14 98834->98835 98836 96506b 74 API calls 98835->98836 98836->98832 98838 96507d 98837->98838 98839 99dd26 98837->98839 99056 985752 98838->99056 98842 9c91b2 99076 9c9008 98842->99076 98844 9c91c8 98844->98705 98846 99dce9 98845->98846 98847 965036 98845->98847 99081 985dd0 98847->99081 98849 96503e 98849->98707 98851 964d2e 98850->98851 98852 964d6a LoadLibraryA 98850->98852 98851->98804 98851->98807 98852->98851 98853 964d7b GetProcAddress 98852->98853 98853->98851 98857 9853ec _fprintf 98854->98857 98855 9853ff 98903 988ca8 58 API calls __getptd_noexit 98855->98903 98857->98855 98859 985430 98857->98859 98858 985404 98904 988f36 9 API calls __fptostr 98858->98904 98873 990668 98859->98873 98862 985435 98863 98544b 98862->98863 98864 98543e 98862->98864 98866 985475 98863->98866 98867 985455 98863->98867 98905 988ca8 58 API calls __getptd_noexit 98864->98905 98888 990787 98866->98888 98906 988ca8 58 API calls __getptd_noexit 98867->98906 98872 98540f @_EH4_CallFilterFunc@8 _fprintf 98872->98810 98874 990674 _fprintf 98873->98874 98875 989d8b __lock 58 API calls 98874->98875 98886 990682 98875->98886 98876 9906f6 98908 99077e 98876->98908 98877 9906fd 98913 98899d 58 API calls __malloc_crt 98877->98913 98880 990704 98880->98876 98914 989fab InitializeCriticalSectionAndSpinCount 98880->98914 98881 990773 _fprintf 98881->98862 98883 989e13 __mtinitlocknum 58 API calls 98883->98886 98885 99072a EnterCriticalSection 98885->98876 98886->98876 98886->98877 98886->98883 98911 986dcd 59 API calls __lock 98886->98911 98912 986e37 LeaveCriticalSection LeaveCriticalSection _doexit 98886->98912 98897 9907a7 __wopenfile 98888->98897 98889 9907c1 98919 988ca8 58 API calls __getptd_noexit 98889->98919 98890 99097c 98890->98889 98894 9909df 98890->98894 98892 9907c6 98920 988f36 9 API calls __fptostr 98892->98920 98916 998721 98894->98916 98895 985480 98907 9854a2 LeaveCriticalSection LeaveCriticalSection __wfsopen 98895->98907 98897->98889 98897->98890 98921 98394b 60 API calls 3 library calls 98897->98921 98899 990975 98899->98890 98922 98394b 60 API calls 3 library calls 98899->98922 98901 990994 98901->98890 98923 98394b 60 API calls 3 library calls 98901->98923 98903->98858 98904->98872 98905->98872 98906->98872 98907->98872 98915 989ef5 LeaveCriticalSection 98908->98915 98910 990785 98910->98881 98911->98886 98912->98886 98913->98880 98914->98885 98915->98910 98924 997f05 98916->98924 98918 99873a 98918->98895 98919->98892 98920->98895 98921->98899 98922->98901 98923->98890 98927 997f11 _fprintf 98924->98927 98925 997f27 99011 988ca8 58 API calls __getptd_noexit 98925->99011 98927->98925 98929 997f5d 98927->98929 98928 997f2c 99012 988f36 9 API calls __fptostr 98928->99012 98935 997fce 98929->98935 98932 997f79 99013 997fa2 LeaveCriticalSection __unlock_fhandle 98932->99013 98934 997f36 _fprintf 98934->98918 98936 997fee 98935->98936 98937 98465a __wsopen_nolock 58 API calls 98936->98937 98940 99800a 98937->98940 98938 998141 98939 988f46 __invoke_watson 8 API calls 98938->98939 98941 998720 98939->98941 98940->98938 98943 998044 98940->98943 98949 998067 98940->98949 98942 997f05 __wsopen_helper 103 API calls 98941->98942 98944 99873a 98942->98944 98945 988c74 __commit 58 API calls 98943->98945 98944->98932 98946 998049 98945->98946 98947 988ca8 __flsbuf 58 API calls 98946->98947 98948 998056 98947->98948 98950 988f36 __fptostr 9 API calls 98948->98950 98951 998125 98949->98951 98958 998103 98949->98958 98952 998060 98950->98952 98953 988c74 __commit 58 API calls 98951->98953 98952->98932 98954 99812a 98953->98954 98955 988ca8 __flsbuf 58 API calls 98954->98955 98956 998137 98955->98956 98957 988f36 __fptostr 9 API calls 98956->98957 98957->98938 98959 98d414 __alloc_osfhnd 61 API calls 98958->98959 98960 9981d1 98959->98960 98961 9981db 98960->98961 98962 9981fe 98960->98962 98964 988c74 __commit 58 API calls 98961->98964 98963 997e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98962->98963 98974 998220 98963->98974 98965 9981e0 98964->98965 98967 988ca8 __flsbuf 58 API calls 98965->98967 98966 99829e GetFileType 98968 9982a9 GetLastError 98966->98968 98969 9982eb 98966->98969 98971 9981ea 98967->98971 98973 988c87 __dosmaperr 58 API calls 98968->98973 98981 98d6aa __set_osfhnd 59 API calls 98969->98981 98970 99826c GetLastError 98975 988c87 __dosmaperr 58 API calls 98970->98975 98972 988ca8 __flsbuf 58 API calls 98971->98972 98972->98952 98976 9982d0 CloseHandle 98973->98976 98974->98966 98974->98970 98977 997e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98974->98977 98978 998291 98975->98978 98976->98978 98979 9982de 98976->98979 98980 998261 98977->98980 98983 988ca8 __flsbuf 58 API calls 98978->98983 98982 988ca8 __flsbuf 58 API calls 98979->98982 98980->98966 98980->98970 98986 998309 98981->98986 98984 9982e3 98982->98984 98983->98938 98984->98978 98985 9984c4 98985->98938 98988 998697 CloseHandle 98985->98988 98986->98985 98987 991a41 __lseeki64_nolock 60 API calls 98986->98987 99004 99838a 98986->99004 98989 998373 98987->98989 98990 997e7d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98988->98990 98992 988c74 __commit 58 API calls 98989->98992 99009 998392 98989->99009 98991 9986be 98990->98991 98994 99854e 98991->98994 98995 9986c6 GetLastError 98991->98995 98992->99004 98993 990fdb 70 API calls __read_nolock 98993->99009 98994->98938 98996 988c87 __dosmaperr 58 API calls 98995->98996 98998 9986d2 98996->98998 98997 991a41 60 API calls __lseeki64_nolock 98997->99009 99001 98d5bd __free_osfhnd 59 API calls 98998->99001 98999 990c5d __close_nolock 61 API calls 98999->99009 99000 999922 __chsize_nolock 82 API calls 99000->99009 99001->98994 99002 98da06 __write 78 API calls 99002->99004 99003 991a41 60 API calls __lseeki64_nolock 99003->99004 99004->98985 99004->99002 99004->99003 99004->99009 99005 998541 99006 990c5d __close_nolock 61 API calls 99005->99006 99008 998548 99006->99008 99007 99852a 99007->98985 99010 988ca8 __flsbuf 58 API calls 99008->99010 99009->98993 99009->98997 99009->98999 99009->99000 99009->99004 99009->99005 99009->99007 99010->98994 99011->98928 99012->98934 99013->98934 99015 964ce1 99014->99015 99016 964d9d LoadLibraryA 99014->99016 99015->98814 99015->98817 99016->99015 99017 964dae GetProcAddress 99016->99017 99017->99015 99019 980f36 Mailbox 59 API calls 99018->99019 99020 9653a0 99019->99020 99020->98822 99022 965003 FindResourceExW 99021->99022 99026 965020 99021->99026 99023 99dc8c LoadResource 99022->99023 99022->99026 99024 99dca1 SizeofResource 99023->99024 99023->99026 99025 99dcb5 LockResource 99024->99025 99024->99026 99025->99026 99026->98823 99028 965054 99027->99028 99029 99dd04 99027->99029 99033 9859bd 99028->99033 99031 965062 99031->98830 99032->98823 99034 9859c9 _fprintf 99033->99034 99035 9859db 99034->99035 99037 985a01 99034->99037 99046 988ca8 58 API calls __getptd_noexit 99035->99046 99048 986d8e 99037->99048 99039 9859e0 99047 988f36 9 API calls __fptostr 99039->99047 99040 985a07 99054 98592e 83 API calls 4 library calls 99040->99054 99043 985a16 99055 985a38 LeaveCriticalSection LeaveCriticalSection __wfsopen 99043->99055 99045 9859eb _fprintf 99045->99031 99046->99039 99047->99045 99049 986d9e 99048->99049 99050 986dc0 EnterCriticalSection 99048->99050 99049->99050 99051 986da6 99049->99051 99052 986db6 99050->99052 99053 989d8b __lock 58 API calls 99051->99053 99052->99040 99053->99052 99054->99043 99055->99045 99059 98576d 99056->99059 99058 96508e 99058->98842 99060 985779 _fprintf 99059->99060 99061 9857b4 _fprintf 99060->99061 99062 9857bc 99060->99062 99063 98578f _memset 99060->99063 99061->99058 99064 986d8e __lock_file 59 API calls 99062->99064 99072 988ca8 58 API calls __getptd_noexit 99063->99072 99065 9857c2 99064->99065 99074 98558d 72 API calls 6 library calls 99065->99074 99068 9857a9 99073 988f36 9 API calls __fptostr 99068->99073 99069 9857d8 99075 9857f6 LeaveCriticalSection LeaveCriticalSection __wfsopen 99069->99075 99072->99068 99073->99061 99074->99069 99075->99061 99079 98537a GetSystemTimeAsFileTime 99076->99079 99078 9c9017 99078->98844 99080 9853a8 __aulldiv 99079->99080 99080->99078 99082 985ddc _fprintf 99081->99082 99083 985dee 99082->99083 99084 985e03 99082->99084 99095 988ca8 58 API calls __getptd_noexit 99083->99095 99086 986d8e __lock_file 59 API calls 99084->99086 99088 985e09 99086->99088 99087 985df3 99096 988f36 9 API calls __fptostr 99087->99096 99097 985a40 67 API calls 6 library calls 99088->99097 99091 985e14 99098 985e34 LeaveCriticalSection LeaveCriticalSection __wfsopen 99091->99098 99093 985e26 99094 985dfe _fprintf 99093->99094 99094->98849 99095->99087 99096->99094 99097->99091 99098->99093 99099->98713 99100->98727 99101->98729 99102->98726 99103->98735 99105 9692c9 Mailbox 99104->99105 99106 99f4f8 99105->99106 99111 9692d3 99105->99111 99107 980f36 Mailbox 59 API calls 99106->99107 99109 99f504 99107->99109 99108 9692da 99108->98740 99111->99108 99112 969df0 59 API calls Mailbox 99111->99112 99112->99111 99113->98746 99114->98745 99120 9c97f1 __tzset_nolock _wcscmp 99115->99120 99116 96506b 74 API calls 99116->99120 99117 9c9685 99117->98756 99117->98785 99118 9c91b2 GetSystemTimeAsFileTime 99118->99120 99119 965045 85 API calls 99119->99120 99120->99116 99120->99117 99120->99118 99120->99119 99121->98782 99123 985522 _fprintf 99122->99123 99124 98554e 99123->99124 99125 985536 99123->99125 99127 986d8e __lock_file 59 API calls 99124->99127 99132 985546 _fprintf 99124->99132 99151 988ca8 58 API calls __getptd_noexit 99125->99151 99129 985560 99127->99129 99128 98553b 99152 988f36 9 API calls __fptostr 99128->99152 99135 9854aa 99129->99135 99132->98788 99136 9854b9 99135->99136 99137 9854cd 99135->99137 99197 988ca8 58 API calls __getptd_noexit 99136->99197 99138 9854c9 99137->99138 99154 984bad 99137->99154 99153 985585 LeaveCriticalSection LeaveCriticalSection __wfsopen 99138->99153 99141 9854be 99198 988f36 9 API calls __fptostr 99141->99198 99147 9854e7 99171 990b82 99147->99171 99149 9854ed 99149->99138 99150 982ed5 _free 58 API calls 99149->99150 99150->99138 99151->99128 99152->99132 99153->99132 99155 984bc0 99154->99155 99159 984be4 99154->99159 99156 984856 __flsbuf 58 API calls 99155->99156 99155->99159 99157 984bdd 99156->99157 99199 98da06 78 API calls 7 library calls 99157->99199 99160 990cf7 99159->99160 99161 9854e1 99160->99161 99162 990d04 99160->99162 99164 984856 99161->99164 99162->99161 99163 982ed5 _free 58 API calls 99162->99163 99163->99161 99165 984860 99164->99165 99166 984875 99164->99166 99200 988ca8 58 API calls __getptd_noexit 99165->99200 99166->99147 99168 984865 99201 988f36 9 API calls __fptostr 99168->99201 99170 984870 99170->99147 99172 990b8e _fprintf 99171->99172 99173 990b9b 99172->99173 99174 990bb2 99172->99174 99226 988c74 58 API calls __getptd_noexit 99173->99226 99176 990c3d 99174->99176 99178 990bc2 99174->99178 99231 988c74 58 API calls __getptd_noexit 99176->99231 99177 990ba0 99227 988ca8 58 API calls __getptd_noexit 99177->99227 99181 990bea 99178->99181 99182 990be0 99178->99182 99202 98d386 99181->99202 99228 988c74 58 API calls __getptd_noexit 99182->99228 99183 990be5 99232 988ca8 58 API calls __getptd_noexit 99183->99232 99184 990ba7 _fprintf 99184->99149 99187 990bf0 99189 990c0e 99187->99189 99190 990c03 99187->99190 99229 988ca8 58 API calls __getptd_noexit 99189->99229 99211 990c5d 99190->99211 99191 990c49 99233 988f36 9 API calls __fptostr 99191->99233 99195 990c09 99230 990c35 LeaveCriticalSection __unlock_fhandle 99195->99230 99197->99141 99198->99138 99199->99159 99200->99168 99201->99170 99203 98d392 _fprintf 99202->99203 99204 98d3e1 EnterCriticalSection 99203->99204 99205 989d8b __lock 58 API calls 99203->99205 99206 98d407 _fprintf 99204->99206 99207 98d3b7 99205->99207 99206->99187 99208 98d3cf 99207->99208 99234 989fab InitializeCriticalSectionAndSpinCount 99207->99234 99235 98d40b LeaveCriticalSection _doexit 99208->99235 99236 98d643 99211->99236 99213 990cc1 99249 98d5bd 59 API calls 2 library calls 99213->99249 99215 990c6b 99215->99213 99217 98d643 __commit 58 API calls 99215->99217 99225 990c9f 99215->99225 99216 990cc9 99222 990ceb 99216->99222 99250 988c87 58 API calls 3 library calls 99216->99250 99219 990c96 99217->99219 99218 98d643 __commit 58 API calls 99220 990cab CloseHandle 99218->99220 99223 98d643 __commit 58 API calls 99219->99223 99220->99213 99224 990cb7 GetLastError 99220->99224 99222->99195 99223->99225 99224->99213 99225->99213 99225->99218 99226->99177 99227->99184 99228->99183 99229->99195 99230->99184 99231->99183 99232->99191 99233->99184 99234->99208 99235->99204 99237 98d64e 99236->99237 99238 98d663 99236->99238 99251 988c74 58 API calls __getptd_noexit 99237->99251 99243 98d688 99238->99243 99253 988c74 58 API calls __getptd_noexit 99238->99253 99240 98d653 99252 988ca8 58 API calls __getptd_noexit 99240->99252 99243->99215 99244 98d692 99254 988ca8 58 API calls __getptd_noexit 99244->99254 99246 98d69a 99255 988f36 9 API calls __fptostr 99246->99255 99247 98d65b 99247->99215 99249->99216 99250->99222 99251->99240 99252->99247 99253->99244 99254->99246 99255->99247 99318 991ac0 99256->99318 99259 9648f7 99320 967eec 99259->99320 99260 9648da 99261 967d2c 59 API calls 99260->99261 99263 9648e6 99261->99263 99264 967886 59 API calls 99263->99264 99265 9648f2 99264->99265 99266 980911 99265->99266 99267 991ac0 __write_nolock 99266->99267 99268 98091e GetLongPathNameW 99267->99268 99269 967d2c 59 API calls 99268->99269 99270 96741d 99269->99270 99271 96716b 99270->99271 99272 9677c7 59 API calls 99271->99272 99273 96717d 99272->99273 99274 9648ae 60 API calls 99273->99274 99275 967188 99274->99275 99276 967193 99275->99276 99280 99ebde 99275->99280 99277 963f84 59 API calls 99276->99277 99279 96719f 99277->99279 99324 9634c2 99279->99324 99282 99ebf8 99280->99282 99330 967a68 61 API calls 99280->99330 99283 9671b2 Mailbox 99283->98550 99285 964f3d 136 API calls 99284->99285 99286 9669ef 99285->99286 99287 99e38a 99286->99287 99288 964f3d 136 API calls 99286->99288 99289 9c9604 122 API calls 99287->99289 99291 966a03 99288->99291 99290 99e39f 99289->99290 99292 99e3c0 99290->99292 99293 99e3a3 99290->99293 99291->99287 99294 966a0b 99291->99294 99296 980f36 Mailbox 59 API calls 99292->99296 99295 964faa 84 API calls 99293->99295 99297 966a17 99294->99297 99298 99e3ab 99294->99298 99295->99298 99317 99e405 Mailbox 99296->99317 99331 966bec 99297->99331 99424 9c4339 88 API calls _wprintf 99298->99424 99301 99e3b9 99301->99292 99303 99e5b9 99304 982ed5 _free 58 API calls 99303->99304 99305 99e5c1 99304->99305 99306 964faa 84 API calls 99305->99306 99311 99e5ca 99306->99311 99310 982ed5 _free 58 API calls 99310->99311 99311->99310 99313 964faa 84 API calls 99311->99313 99430 9bfad2 87 API calls 4 library calls 99311->99430 99313->99311 99314 967f41 59 API calls 99314->99317 99317->99303 99317->99311 99317->99314 99425 9bfa6e 59 API calls 2 library calls 99317->99425 99426 9bf98f 61 API calls 2 library calls 99317->99426 99427 9c7428 59 API calls Mailbox 99317->99427 99428 96766f 59 API calls 2 library calls 99317->99428 99429 9674bd 59 API calls Mailbox 99317->99429 99319 9648bb GetFullPathNameW 99318->99319 99319->99259 99319->99260 99321 967f06 99320->99321 99323 967ef9 99320->99323 99322 980f36 Mailbox 59 API calls 99321->99322 99322->99323 99323->99263 99325 9634d4 99324->99325 99329 9634f3 _memmove 99324->99329 99328 980f36 Mailbox 59 API calls 99325->99328 99326 980f36 Mailbox 59 API calls 99327 96350a 99326->99327 99327->99283 99328->99329 99329->99326 99330->99280 99332 966c15 99331->99332 99333 99e777 99331->99333 99436 965906 60 API calls Mailbox 99332->99436 99454 9bfad2 87 API calls 4 library calls 99333->99454 99336 966c37 99437 965956 67 API calls 99336->99437 99337 99e78a 99455 9bfad2 87 API calls 4 library calls 99337->99455 99339 966c4c 99339->99337 99340 966c54 99339->99340 99342 9677c7 59 API calls 99340->99342 99344 966c60 99342->99344 99343 99e7a6 99372 966cc1 99343->99372 99438 980ad7 60 API calls __write_nolock 99344->99438 99346 99e7b9 99349 965dcf CloseHandle 99346->99349 99347 966ccf 99350 9677c7 59 API calls 99347->99350 99348 966c6c 99351 9677c7 59 API calls 99348->99351 99352 99e7c5 99349->99352 99353 966cd8 99350->99353 99354 966c78 99351->99354 99355 964f3d 136 API calls 99352->99355 99356 9677c7 59 API calls 99353->99356 99357 9648ae 60 API calls 99354->99357 99358 99e7e1 99355->99358 99359 966ce1 99356->99359 99360 966c86 99357->99360 99361 99e80a 99358->99361 99365 9c9604 122 API calls 99358->99365 99441 9646f9 59 API calls Mailbox 99359->99441 99439 9659b0 ReadFile SetFilePointerEx 99360->99439 99456 9bfad2 87 API calls 4 library calls 99361->99456 99364 966cb2 99440 965c4e SetFilePointerEx SetFilePointerEx 99364->99440 99369 99e7fd 99365->99369 99366 966cf8 99442 967c8e 59 API calls Mailbox 99366->99442 99373 99e805 99369->99373 99374 99e826 99369->99374 99371 99e821 99401 966e6c Mailbox 99371->99401 99372->99346 99372->99347 99376 964faa 84 API calls 99373->99376 99377 964faa 84 API calls 99374->99377 99375 966d09 SetCurrentDirectoryW 99380 966d1c Mailbox 99375->99380 99376->99361 99378 99e82b 99377->99378 99379 980f36 Mailbox 59 API calls 99378->99379 99386 99e85f 99379->99386 99381 980f36 Mailbox 59 API calls 99380->99381 99384 966d2f 99381->99384 99383 963bcd 99383->98417 99383->98439 99385 96538e 59 API calls 99384->99385 99413 966d3a Mailbox __wsetenvp 99385->99413 99457 96766f 59 API calls 2 library calls 99386->99457 99388 966e47 99450 965dcf 99388->99450 99391 99ea99 99463 9c7388 59 API calls Mailbox 99391->99463 99392 966e53 SetCurrentDirectoryW 99392->99401 99395 99eabb 99464 9cf656 59 API calls 2 library calls 99395->99464 99398 99eac8 99400 982ed5 _free 58 API calls 99398->99400 99399 99eb32 99467 9bfad2 87 API calls 4 library calls 99399->99467 99400->99401 99431 965934 99401->99431 99404 99eb4b 99404->99388 99407 99eb2a 99466 9bf928 59 API calls 4 library calls 99407->99466 99409 967f41 59 API calls 99409->99413 99413->99388 99413->99399 99413->99407 99413->99409 99443 9659cd 67 API calls _wcscpy 99413->99443 99444 9670bd GetStringTypeW 99413->99444 99445 96702c 60 API calls __wcsnicmp 99413->99445 99446 96710a GetStringTypeW __wsetenvp 99413->99446 99447 9837bd GetStringTypeW _iswctype 99413->99447 99448 966a3c 163 API calls 3 library calls 99413->99448 99449 967373 59 API calls Mailbox 99413->99449 99414 967f41 59 API calls 99419 99e8a8 Mailbox 99414->99419 99418 99eaeb 99465 9bfad2 87 API calls 4 library calls 99418->99465 99419->99391 99419->99414 99419->99418 99458 9bfa6e 59 API calls 2 library calls 99419->99458 99459 9bf98f 61 API calls 2 library calls 99419->99459 99460 9c7428 59 API calls Mailbox 99419->99460 99461 96766f 59 API calls 2 library calls 99419->99461 99462 967373 59 API calls Mailbox 99419->99462 99421 99eb04 99422 982ed5 _free 58 API calls 99421->99422 99423 99eb17 99422->99423 99423->99401 99424->99301 99425->99317 99426->99317 99427->99317 99428->99317 99429->99317 99430->99311 99432 965dcf CloseHandle 99431->99432 99433 96593c Mailbox 99432->99433 99434 965dcf CloseHandle 99433->99434 99435 96594b 99434->99435 99435->99383 99436->99336 99437->99339 99438->99348 99439->99364 99440->99372 99441->99366 99442->99375 99443->99413 99444->99413 99445->99413 99446->99413 99447->99413 99448->99413 99449->99413 99451 965de8 99450->99451 99452 965dd9 99450->99452 99451->99452 99453 965ded CloseHandle 99451->99453 99452->99392 99453->99452 99454->99337 99455->99343 99456->99371 99457->99419 99458->99419 99459->99419 99460->99419 99461->99419 99462->99419 99463->99395 99464->99398 99465->99421 99466->99399 99467->99404 99469 966ef5 99468->99469 99474 967009 99468->99474 99470 980f36 Mailbox 59 API calls 99469->99470 99469->99474 99472 966f1c 99470->99472 99471 980f36 Mailbox 59 API calls 99478 966f91 99471->99478 99472->99471 99474->98556 99478->99474 99481 9663a0 92 API calls 2 library calls 99478->99481 99482 9674bd 59 API calls Mailbox 99478->99482 99483 9b68a9 59 API calls Mailbox 99478->99483 99484 96766f 59 API calls 2 library calls 99478->99484 99479->98558 99480->98560 99481->99478 99482->99478 99483->99478 99484->99478 99485->98574 99486->98575 99488 96f7b0 99487->99488 99489 96f61a 99487->99489 99490 967f41 59 API calls 99488->99490 99491 96f626 99489->99491 99492 9a4777 99489->99492 99498 96f6ec Mailbox 99490->99498 99542 96f3f0 255 API calls 2 library calls 99491->99542 99544 9dbd80 255 API calls Mailbox 99492->99544 99495 9a4785 99499 96f790 99495->99499 99545 9c9ed4 87 API calls 4 library calls 99495->99545 99497 96f65d 99497->99495 99497->99498 99497->99499 99533 972e02 99498->99533 99499->98654 99501 96f743 99501->99499 99543 969df0 59 API calls Mailbox 99501->99543 99504 963212 99503->99504 99507 9631e0 99503->99507 99504->98654 99505 963205 IsDialogMessageW 99505->99504 99505->99507 99506 99d0b2 GetClassLongW 99506->99505 99506->99507 99507->99504 99507->99505 99507->99506 99508->98654 99509->98654 99510->98654 99511->98654 99512->98582 99513->98588 99514->98654 99515->98590 99516->98590 99517->98590 99518->98654 99519->98654 99520->98654 99521->98654 99522->98654 99523->98654 99524->98654 99525->98638 99526->98638 99527->98638 99528->98638 99529->98638 99530->98638 99531->98638 99532->98638 99546 969c9c 99533->99546 99535 972e16 99536 972e51 Sleep 99535->99536 99537 972e1a timeGetTime 99535->99537 99539 972e49 99536->99539 99538 969c9c 59 API calls 99537->99538 99540 972e30 99538->99540 99539->99501 99541 970b30 253 API calls 99540->99541 99541->99539 99542->99497 99543->99501 99544->99495 99545->99499 99547 969cad 99546->99547 99548 969cb2 99546->99548 99547->99548 99550 98370a 59 API calls 99547->99550 99548->99535 99550->99548 99551 96107d 99556 9671eb 99551->99556 99553 96108c 99554 982ec0 __cinit 67 API calls 99553->99554 99555 961096 99554->99555 99557 9671fb __write_nolock 99556->99557 99558 9677c7 59 API calls 99557->99558 99559 9672b1 99558->99559 99560 964864 61 API calls 99559->99560 99561 9672ba 99560->99561 99587 98068b 99561->99587 99564 967e0b 59 API calls 99565 9672d3 99564->99565 99566 963f84 59 API calls 99565->99566 99567 9672e2 99566->99567 99568 9677c7 59 API calls 99567->99568 99569 9672eb 99568->99569 99570 967eec 59 API calls 99569->99570 99571 9672f4 RegOpenKeyExW 99570->99571 99572 99ec0a RegQueryValueExW 99571->99572 99577 967316 Mailbox 99571->99577 99573 99ec9c RegCloseKey 99572->99573 99574 99ec27 99572->99574 99573->99577 99585 99ecae _wcscat Mailbox __wsetenvp 99573->99585 99575 980f36 Mailbox 59 API calls 99574->99575 99576 99ec40 99575->99576 99578 96538e 59 API calls 99576->99578 99577->99553 99579 99ec4b RegQueryValueExW 99578->99579 99580 99ec68 99579->99580 99582 99ec82 99579->99582 99581 967d2c 59 API calls 99580->99581 99581->99582 99582->99573 99583 967f41 59 API calls 99583->99585 99584 963f84 59 API calls 99584->99585 99585->99577 99585->99583 99585->99584 99586 967b52 59 API calls 99585->99586 99586->99585 99588 991ac0 __write_nolock 99587->99588 99589 980698 GetFullPathNameW 99588->99589 99590 9806ba 99589->99590 99591 967d2c 59 API calls 99590->99591 99592 9672c5 99591->99592 99592->99564

    Executed Functions

    Function 00963B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00963B7A
    • IsDebuggerPresent.KERNEL32 ref: 00963B8C
    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00A252F8,00A252E0,?,?), ref: 00963BFD
      • Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66
      • Part of subcall function 00970A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00963C26,00A252F8,?,?,?), ref: 00970ACE
    • SetCurrentDirectoryW.KERNEL32(?), ref: 00963C81
    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00A17770,00000010), ref: 0099D3EC
    • SetCurrentDirectoryW.KERNEL32(?,00A252F8,?,?,?), ref: 0099D424
    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00A14260,00A252F8,?,?,?), ref: 0099D4AA
    • ShellExecuteW.SHELL32(00000000,?,?), ref: 0099D4B1
      • Part of subcall function 00963A58: GetSysColorBrush.USER32(0000000F), ref: 00963A62
      • Part of subcall function 00963A58: LoadCursorW.USER32(00000000,00007F00), ref: 00963A71
      • Part of subcall function 00963A58: LoadIconW.USER32(00000063), ref: 00963A88
      • Part of subcall function 00963A58: LoadIconW.USER32(000000A4), ref: 00963A9A
      • Part of subcall function 00963A58: LoadIconW.USER32(000000A2), ref: 00963AAC
      • Part of subcall function 00963A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00963AD2
      • Part of subcall function 00963A58: RegisterClassExW.USER32(?), ref: 00963B28
      • Part of subcall function 009639E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00963A15
      • Part of subcall function 009639E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00963A36
      • Part of subcall function 009639E7: ShowWindow.USER32(00000000,?,?), ref: 00963A4A
      • Part of subcall function 009639E7: ShowWindow.USER32(00000000,?,?), ref: 00963A53
      • Part of subcall function 009643DB: _memset.LIBCMT ref: 00964401
      • Part of subcall function 009643DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009644A6
    Strings
    • This is a third-party compiled AutoIt script., xrefs: 0099D3E4
    • runas, xrefs: 0099D4A5
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
    • String ID: This is a third-party compiled AutoIt script.$runas
    • API String ID: 529118366-3287110873
    • Opcode ID: 3a0ed5ec7152e6f78bff6c56899af89b47828c3edec2f5a23fe4a25dc3a278be
    • Instruction ID: b4719a7bd0cb46ce9da248e73a8d6678698e93463b517c3c84348e7b5b180268
    • Opcode Fuzzy Hash: 3a0ed5ec7152e6f78bff6c56899af89b47828c3edec2f5a23fe4a25dc3a278be
    • Instruction Fuzzy Hash: 4651F430D09248EADF11EBF8EC56EFD7B78BB84344F008175F851A61E1DA745A46DB21
    Function 00964AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 845 964afe-964b5e call 9677c7 GetVersionExW call 967d2c 850 964b64 845->850 851 964c69-964c6b 845->851 852 964b67-964b6c 850->852 853 99dac0-99dacc 851->853 855 964b72 852->855 856 964c70-964c71 852->856 854 99dacd-99dad1 853->854 857 99dad3 854->857 858 99dad4-99dae0 854->858 859 964b73-964baa call 967e8c call 967886 855->859 856->859 857->858 858->854 860 99dae2-99dae7 858->860 868 99dbbd-99dbc0 859->868 869 964bb0-964bb1 859->869 860->852 862 99daed-99daf4 860->862 862->853 864 99daf6 862->864 867 99dafb-99dafe 864->867 870 964bf1-964c08 GetCurrentProcess IsWow64Process 867->870 871 99db04-99db22 867->871 872 99dbd9-99dbdd 868->872 873 99dbc2 868->873 869->867 874 964bb7-964bc2 869->874 881 964c0d-964c1e 870->881 882 964c0a 870->882 871->870 875 99db28-99db2e 871->875 879 99dbc8-99dbd1 872->879 880 99dbdf-99dbe8 872->880 876 99dbc5 873->876 877 99db43-99db49 874->877 878 964bc8-964bca 874->878 885 99db38-99db3e 875->885 886 99db30-99db33 875->886 876->879 889 99db4b-99db4e 877->889 890 99db53-99db59 877->890 887 964bd0-964bd3 878->887 888 99db5e-99db6a 878->888 879->872 880->876 891 99dbea-99dbed 880->891 883 964c20-964c30 call 964c95 881->883 884 964c89-964c93 GetSystemInfo 881->884 882->881 902 964c32-964c3f call 964c95 883->902 903 964c7d-964c87 GetSystemInfo 883->903 897 964c56-964c66 884->897 885->870 886->870 895 99db8a-99db8d 887->895 896 964bd9-964be8 887->896 892 99db6c-99db6f 888->892 893 99db74-99db7a 888->893 889->870 890->870 891->879 892->870 893->870 895->870 899 99db93-99dba8 895->899 900 99db7f-99db85 896->900 901 964bee 896->901 904 99dbaa-99dbad 899->904 905 99dbb2-99dbb8 899->905 900->870 901->870 910 964c76-964c7b 902->910 911 964c41-964c45 GetNativeSystemInfo 902->911 907 964c47-964c4b 903->907 904->870 905->870 907->897 909 964c4d-964c50 FreeLibrary 907->909 909->897 910->911 911->907
    APIs
    • GetVersionExW.KERNEL32(?), ref: 00964B2B
      • Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66
    • GetCurrentProcess.KERNEL32(?,009EFAEC,00000000,00000000,?), ref: 00964BF8
    • IsWow64Process.KERNEL32(00000000), ref: 00964BFF
    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00964C45
    • FreeLibrary.KERNEL32(00000000), ref: 00964C50
    • GetSystemInfo.KERNEL32(00000000), ref: 00964C81
    • GetSystemInfo.KERNEL32(00000000), ref: 00964C8D
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
    • String ID:
    • API String ID: 1986165174-0
    • Opcode ID: 173e6d4554b5426c3eca00b3adfaf5dd56fa409ef93e2963ebd8d7356b0f6e1e
    • Instruction ID: f0214f8bcdc31374bc60575ba93dd030320cb060cae094586cf8726e06b2c585
    • Opcode Fuzzy Hash: 173e6d4554b5426c3eca00b3adfaf5dd56fa409ef93e2963ebd8d7356b0f6e1e
    • Instruction Fuzzy Hash: A591C67194E7C4DECB31CBB885911AAFFE8AF26300B484D9ED0CB97B41D224E948D759
    Function 00964FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 912 964fe9-965001 CreateStreamOnHGlobal 913 965003-96501a FindResourceExW 912->913 914 965021-965026 912->914 915 99dc8c-99dc9b LoadResource 913->915 916 965020 913->916 915->916 917 99dca1-99dcaf SizeofResource 915->917 916->914 917->916 918 99dcb5-99dcc0 LockResource 917->918 918->916 919 99dcc6-99dce4 918->919 919->916
    APIs
    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00964EEE,?,?,00000000,00000000), ref: 00964FF9
    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00964EEE,?,?,00000000,00000000), ref: 00965010
    • LoadResource.KERNEL32(?,00000000,?,?,00964EEE,?,?,00000000,00000000,?,?,?,?,?,?,00964F8F), ref: 0099DC90
    • SizeofResource.KERNEL32(?,00000000,?,?,00964EEE,?,?,00000000,00000000,?,?,?,?,?,?,00964F8F), ref: 0099DCA5
    • LockResource.KERNEL32(00964EEE,?,?,00964EEE,?,?,00000000,00000000,?,?,?,?,?,?,00964F8F,00000000), ref: 0099DCB8
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
    • String ID: SCRIPT
    • API String ID: 3051347437-3967369404
    • Opcode ID: 13597655f1a9fba8623baacec652e4d480d8a41aae7c2a9c8de4c853326c70a1
    • Instruction ID: e165199edded09b6d42e9d3adcbf4c7b49942ff75ad60a92c030f513d3e71b32
    • Opcode Fuzzy Hash: 13597655f1a9fba8623baacec652e4d480d8a41aae7c2a9c8de4c853326c70a1
    • Instruction Fuzzy Hash: 37115A75204741BFE7218B65DCA8F677BBDEBC9B11F208169F51A8A260DB61EC00E660
    Function 00970B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
    Download Yara Rule
    APIs
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00970BBB
    • timeGetTime.WINMM ref: 00970E76
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00970FB3
    • Sleep.KERNELBASE(0000000A), ref: 00970FC1
    • LockWindowUpdate.USER32(00000000,?,?), ref: 0097105A
    • DestroyWindow.USER32 ref: 00971066
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00971080
    • Sleep.KERNEL32(0000000A,?,?), ref: 009A51DC
    • TranslateMessage.USER32(?), ref: 009A5FB9
    • DispatchMessageW.USER32(?), ref: 009A5FC7
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009A5FDB
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
    • API String ID: 4212290369-3242690629
    • Opcode ID: 9879ba7dbdc240e49fc4da90bacbadc9cd1a7bc0042d64264cc308886383dc40
    • Instruction ID: 166e15e7ff478b7153fc7cd03d2ec9cbb445a0b08460fe13e7df4c3d14ae055f
    • Opcode Fuzzy Hash: 9879ba7dbdc240e49fc4da90bacbadc9cd1a7bc0042d64264cc308886383dc40
    • Instruction Fuzzy Hash: 33B2BD71608741DFD724DF24C894BAAB7E9BFC5304F15892DF48A8B2A1DB74E845CB82
    Function 00963023 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 66windowregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSysColorBrush.USER32(0000000F), ref: 00963074
    • RegisterClassExW.USER32(00000030), ref: 0096309E
    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009630AF
    • InitCommonControlsEx.COMCTL32(?), ref: 009630CC
    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009630DC
    • LoadIconW.USER32(000000A9), ref: 009630F2
    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00963101
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
    • API String ID: 2914291525-1005189915
    • Opcode ID: c1b89a47ae86f8824bc108545da10977333f86a9f3cae2b6060b28d98b5469be
    • Instruction ID: ed78697bed1d921d5e11d9446911524d0e35216240289273868e65e1be298fae
    • Opcode Fuzzy Hash: c1b89a47ae86f8824bc108545da10977333f86a9f3cae2b6060b28d98b5469be
    • Instruction Fuzzy Hash: 5D31F5B1D55349AFDB60CFE8E884ADDBBF4FB08310F14452AE590AA2A0D3B50986DF51
    Function 00963041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSysColorBrush.USER32(0000000F), ref: 00963074
    • RegisterClassExW.USER32(00000030), ref: 0096309E
    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009630AF
    • InitCommonControlsEx.COMCTL32(?), ref: 009630CC
    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009630DC
    • LoadIconW.USER32(000000A9), ref: 009630F2
    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00963101
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
    • API String ID: 2914291525-1005189915
    • Opcode ID: 18627e67938791e47649a01ceb43762741c10c387b3e4a9063ec6853636d1d04
    • Instruction ID: 46fe278a76d471f4faab30522bd58eeebc8a2a7ff5a86ffb63df218e078a22a5
    • Opcode Fuzzy Hash: 18627e67938791e47649a01ceb43762741c10c387b3e4a9063ec6853636d1d04
    • Instruction Fuzzy Hash: BB21E8B1D15248AFDB10DFE8E888BEDBBF4FB08710F00412AF510AA2A0D7B149459F91
    Function 009671EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 00964864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A252F8,?,009637C0,?), ref: 00964882
      • Part of subcall function 0098068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,009672C5), ref: 009806AD
    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00967308
    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0099EC21
    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0099EC62
    • RegCloseKey.ADVAPI32(?), ref: 0099ECA0
    • _wcscat.LIBCMT ref: 0099ECF9
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
    • API String ID: 2673923337-2727554177
    • Opcode ID: e310b8b21fdb87d2884011e80b5d29bb9c3cbf2d935dac302e70a97628d7e72d
    • Instruction ID: bac8e5bcc410aa11ece804bef9213b16fe289d93faf6ce568f82e094eaec15f6
    • Opcode Fuzzy Hash: e310b8b21fdb87d2884011e80b5d29bb9c3cbf2d935dac302e70a97628d7e72d
    • Instruction Fuzzy Hash: 9571637150A301DEC714EFA9D8419ABBBE8FF94344F40493EF445871A1EB71994ACB51
    Function 00963A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSysColorBrush.USER32(0000000F), ref: 00963A62
    • LoadCursorW.USER32(00000000,00007F00), ref: 00963A71
    • LoadIconW.USER32(00000063), ref: 00963A88
    • LoadIconW.USER32(000000A4), ref: 00963A9A
    • LoadIconW.USER32(000000A2), ref: 00963AAC
    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00963AD2
    • RegisterClassExW.USER32(?), ref: 00963B28
      • Part of subcall function 00963041: GetSysColorBrush.USER32(0000000F), ref: 00963074
      • Part of subcall function 00963041: RegisterClassExW.USER32(00000030), ref: 0096309E
      • Part of subcall function 00963041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009630AF
      • Part of subcall function 00963041: InitCommonControlsEx.COMCTL32(?), ref: 009630CC
      • Part of subcall function 00963041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009630DC
      • Part of subcall function 00963041: LoadIconW.USER32(000000A9), ref: 009630F2
      • Part of subcall function 00963041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00963101
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
    • String ID: #$0$AutoIt v3
    • API String ID: 423443420-4155596026
    • Opcode ID: 5bb1b5e7a4e5c86e8b509b5e8b802333eef1c4b30e7569512adfd7ea1065d314
    • Instruction ID: 7e6b900c2ab4b36ed1314b32a14311755fcc202989125c884eefa2bdf68d8a58
    • Opcode Fuzzy Hash: 5bb1b5e7a4e5c86e8b509b5e8b802333eef1c4b30e7569512adfd7ea1065d314
    • Instruction Fuzzy Hash: 9F210CB1D11304EFEB20DFB8EC45BAD7BB5FB08711F10412AE504AA2E1D3B65A529F94
    Function 00963633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 670 963633-963681 672 963683-963686 670->672 673 9636e1-9636e3 670->673 674 9636e7 672->674 675 963688-96368f 672->675 673->672 676 9636e5 673->676 680 99d24c-99d27a call 9711d0 call 9711f3 674->680 681 9636ed-9636f0 674->681 677 963695-96369a 675->677 678 96375d-963765 PostQuitMessage 675->678 679 9636ca-9636d2 DefWindowProcW 676->679 682 99d2bf-99d2d3 call 9c281f 677->682 683 9636a0-9636a2 677->683 686 963711-963713 678->686 685 9636d8-9636de 679->685 717 99d27f-99d286 680->717 687 963715-96373c SetTimer RegisterWindowMessageW 681->687 688 9636f2-9636f3 681->688 682->686 711 99d2d9 682->711 691 963767-963771 call 964531 683->691 692 9636a8-9636ad 683->692 686->685 687->686 693 96373e-963749 CreatePopupMenu I_RpcFreeBuffer 687->693 689 99d1ef-99d1f2 688->689 690 9636f9-96370c KillTimer call 9644cb call 963114 688->690 703 99d228-99d247 MoveWindow 689->703 704 99d1f4-99d1f6 689->704 690->686 713 963776 691->713 697 9636b3-9636b8 692->697 698 99d2a4-99d2ab 692->698 699 96374b-96375b call 9645df 693->699 697->699 709 9636be-9636c4 697->709 698->679 708 99d2b1-99d2ba call 9b7f5e 698->708 699->686 703->686 705 99d1f8-99d1fb 704->705 706 99d217-99d223 SetFocus 704->706 705->709 714 99d201-99d212 call 9711d0 705->714 706->686 708->679 709->679 709->717 711->679 713->686 714->686 717->679 721 99d28c-99d29f call 9644cb call 9643db 717->721 721->679
    APIs
    • DefWindowProcW.USER32(?,?,?,?), ref: 009636D2
    • KillTimer.USER32(?,00000001), ref: 009636FC
    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0096371F
    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0096372A
    • CreatePopupMenu.USER32 ref: 0096373E
    • PostQuitMessage.USER32(00000000), ref: 0096375F
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
    • String ID: TaskbarCreated
    • API String ID: 129472671-2362178303
    • Opcode ID: f040da8e697aa7a501607c3a5d95f1b57ab7713a23be60a311c313f47404d31c
    • Instruction ID: 242e354162514f08055499fd1471311b6d62273af91ae36a3268263686ab6d81
    • Opcode Fuzzy Hash: f040da8e697aa7a501607c3a5d95f1b57ab7713a23be60a311c313f47404d31c
    • Instruction Fuzzy Hash: E34137B2604545FBDF249FBCED4ABB93759FB50300F148535F5028A2E1CAB59E02A761
    Function 00963778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
    Download Yara Rule

    Control-flow Graph

    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
    • API String ID: 1825951767-3513169116
    • Opcode ID: 76a0a6ea94248f4d7045db67b7fbd0600e85e2db81a61d97cd0fc60501ae73f0
    • Instruction ID: 7f7cce6f302457722fefb4290908855dae32b5529fe86ae9bcb992a18d22e552
    • Opcode Fuzzy Hash: 76a0a6ea94248f4d7045db67b7fbd0600e85e2db81a61d97cd0fc60501ae73f0
    • Instruction Fuzzy Hash: 4BA16B72C1022DAACF15EBE5DC92EEEB778BF94300F54442AF412A7191EF755A09CB60
    Function 009639E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 922 9639e7-963a57 CreateWindowExW * 2 ShowWindow * 2
    APIs
    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00963A15
    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00963A36
    • ShowWindow.USER32(00000000,?,?), ref: 00963A4A
    • ShowWindow.USER32(00000000,?,?), ref: 00963A53
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$CreateShow
    • String ID: AutoIt v3$edit
    • API String ID: 1584632944-3779509399
    • Opcode ID: 0eac5c199177d46f9446a36364d31d9f068293b9383ce19093a9efd825770b7a
    • Instruction ID: 3bc30864956c32183d35374847b91e30ba7856669707ec1c99231b33b340b06a
    • Opcode Fuzzy Hash: 0eac5c199177d46f9446a36364d31d9f068293b9383ce19093a9efd825770b7a
    • Instruction Fuzzy Hash: 52F03A70901690BEEA3197AB6C58EBB2E7DE7C6F60B00003AB900A61B0C2714C43DBB0
    Function 0096410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0099D51C
      • Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66
    • _memset.LIBCMT ref: 0096418D
    • _wcscpy.LIBCMT ref: 009641E1
    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009641F1
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
    • String ID: Line:
    • API String ID: 3942752672-1585850449
    • Opcode ID: 51ddb3896e953160c5938257b773ad97f1690b4dd859581b1748033d1dd82e8a
    • Instruction ID: 333e7752afd528fb0ebf1a3cee40027002cc8b065387799db3207311e9107d02
    • Opcode Fuzzy Hash: 51ddb3896e953160c5938257b773ad97f1690b4dd859581b1748033d1dd82e8a
    • Instruction Fuzzy Hash: C331C17140C304AAD731EBE4DC45BEBB7ECAF95304F10492AF194921E1EB749A49CB92
    Function 009669CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 958 9669ca-9669f1 call 964f3d 961 9669f7-966a05 call 964f3d 958->961 962 99e38a-99e39a call 9c9604 958->962 961->962 969 966a0b-966a11 961->969 965 99e39f-99e3a1 962->965 967 99e3c0-99e408 call 980f36 965->967 968 99e3a3-99e3a6 call 964faa 965->968 978 99e40a-99e414 967->978 979 99e42d 967->979 973 99e3ab-99e3ba call 9c4339 968->973 972 966a17-966a39 call 966bec 969->972 969->973 973->967 981 99e428-99e429 978->981 982 99e42f-99e442 979->982 985 99e42b 981->985 986 99e416-99e425 981->986 983 99e5b9-99e5ca call 982ed5 call 964faa 982->983 984 99e448 982->984 995 99e5cc-99e5dc call 967776 call 965efb 983->995 987 99e44f-99e452 call 9675e0 984->987 985->982 986->981 991 99e457-99e479 call 965f12 call 9c7492 987->991 1002 99e47b-99e488 991->1002 1003 99e48d-99e497 call 9c747c 991->1003 1009 99e5e1-99e611 call 9bfad2 call 980fac call 982ed5 call 964faa 995->1009 1005 99e580-99e590 call 96766f 1002->1005 1011 99e499-99e4ac 1003->1011 1012 99e4b1-99e4bb call 9c7466 1003->1012 1005->991 1014 99e596-99e5b3 call 9674bd 1005->1014 1009->995 1011->1005 1019 99e4bd-99e4ca 1012->1019 1020 99e4cf-99e4d9 call 965f8a 1012->1020 1014->983 1014->987 1019->1005 1020->1005 1027 99e4df-99e4f7 call 9bfa6e 1020->1027 1033 99e4f9-99e518 call 967f41 call 965a64 1027->1033 1034 99e51a-99e51d 1027->1034 1058 99e53b-99e549 call 965f12 1033->1058 1036 99e54b-99e54e 1034->1036 1037 99e51f-99e53a call 967f41 call 966999 call 965a64 1034->1037 1040 99e56e-99e571 call 9c7428 1036->1040 1041 99e550-99e559 call 9bf98f 1036->1041 1037->1058 1046 99e576-99e57f call 980fac 1040->1046 1041->1009 1052 99e55f-99e569 call 980fac 1041->1052 1046->1005 1052->991 1058->1046
    APIs
      • Part of subcall function 00964F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00964F6F
    • _free.LIBCMT ref: 0099E5BC
    • _free.LIBCMT ref: 0099E603
      • Part of subcall function 00966BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00966D0D
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _free$CurrentDirectoryLibraryLoad
    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
    • API String ID: 2861923089-1757145024
    • Opcode ID: 0b48e5badc5c3123ee9f27cf6881791735b283551d59f7440590e37d4bced68d
    • Instruction ID: ab12b5f1cd17108d7e7eb17f26c098b5cc9be4f4a54117f44a6c98fbbaafe674
    • Opcode Fuzzy Hash: 0b48e5badc5c3123ee9f27cf6881791735b283551d59f7440590e37d4bced68d
    • Instruction Fuzzy Hash: BB915D71910219EFCF14EFA8CC91AEDB7B8FF58314F14446AF815AB2A1EB34A945CB50
    Function 009635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1062 9635b0-9635bb 1063 96362f-963631 1062->1063 1064 9635bd-9635c2 1062->1064 1066 963620-963625 1063->1066 1064->1063 1065 9635c4-9635dc RegOpenKeyExW 1064->1065 1065->1063 1067 9635de-9635fd RegQueryValueExW 1065->1067 1068 963614-96361f RegCloseKey 1067->1068 1069 9635ff-96360a 1067->1069 1068->1066 1070 963626-96362d 1069->1070 1071 96360c-96360e 1069->1071 1072 963612 1070->1072 1071->1072 1072->1068
    APIs
    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,009635A1,SwapMouseButtons,00000004,?), ref: 009635D4
    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,009635A1,SwapMouseButtons,00000004,?,?,?,?,00962754), ref: 009635F5
    • RegCloseKey.KERNELBASE(00000000,?,?,009635A1,SwapMouseButtons,00000004,?,?,?,?,00962754), ref: 00963617
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID: Control Panel\Mouse
    • API String ID: 3677997916-824357125
    • Opcode ID: fc3283b4c47724acffa6feef82b486316ff299c27eeedbfaaa8dbb70592cddf2
    • Instruction ID: fe7845f7c904b7a3d0e58f5cc8fc9912dbb13a34b3e6d26e6abbbe35e7273f25
    • Opcode Fuzzy Hash: fc3283b4c47724acffa6feef82b486316ff299c27eeedbfaaa8dbb70592cddf2
    • Instruction Fuzzy Hash: D2115771614218BFDB20CF69DC81EAEBBBCEF05740F00846AF805DB210E2719F40ABA0
    Function 009C9604 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1073 9c9604-9c9687 call 965045 call 9c97dd 1078 9c9689 1073->1078 1079 9c9691-9c9709 call 96506b * 4 call 965045 call 98588c * 2 1073->1079 1080 9c968b-9c968c 1078->1080 1095 9c970e-9c9748 call 96506b call 9c91b2 call 9c89fc 1079->1095 1082 9c97d4-9c97da 1080->1082 1102 9c975f-9c9763 1095->1102 1103 9c974a-9c975a call 982ed5 * 2 1095->1103 1105 9c97c4-9c97ca call 982ed5 1102->1105 1106 9c9765-9c97c2 call 9c8baf call 982ed5 1102->1106 1103->1080 1114 9c97cc-9c97d2 1105->1114 1106->1114 1114->1082
    APIs
      • Part of subcall function 00965045: _fseek.LIBCMT ref: 0096505D
      • Part of subcall function 009C97DD: _wcscmp.LIBCMT ref: 009C98CD
      • Part of subcall function 009C97DD: _wcscmp.LIBCMT ref: 009C98E0
    • _free.LIBCMT ref: 009C974B
    • _free.LIBCMT ref: 009C9752
    • _free.LIBCMT ref: 009C97BD
      • Part of subcall function 00982ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00989BA4), ref: 00982EE9
      • Part of subcall function 00982ED5: GetLastError.KERNEL32(00000000,?,00989BA4), ref: 00982EFB
    • _free.LIBCMT ref: 009C97C5
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
    • String ID:
    • API String ID: 1552873950-0
    • Opcode ID: 80eb4893e7951d7a05e43ceb386ec03ea4c1895d4bbe74828e49c453b8c650ff
    • Instruction ID: 10acda3a3ffd908e9caf7ca3a1ba0beed75836f78d1558a3c4287b3074a86966
    • Opcode Fuzzy Hash: 80eb4893e7951d7a05e43ceb386ec03ea4c1895d4bbe74828e49c453b8c650ff
    • Instruction Fuzzy Hash: 6F515EB1D04218AFDF249F64CC85BAEBBB9EF88300F10049EB609A7341DB715A90CF59
    Function 00964531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1117 964531-964542 1118 9645ca-9645d0 1117->1118 1119 964548-96457c call 982f60 call 96410d 1117->1119 1124 9645b3-9645c4 KillTimer SetTimer 1119->1124 1125 96457e-96459b 1119->1125 1124->1118 1126 99d5bf-99d5c6 1125->1126 1127 9645a1-9645a5 1125->1127 1128 9645d3-9645da 1126->1128 1129 99d5cc-99d5d8 1126->1129 1130 99d5da-99d5e1 1127->1130 1131 9645ab-9645b1 1127->1131 1132 99d5ea 1128->1132 1133 99d5f0-99d604 Shell_NotifyIconW 1129->1133 1134 99d609-99d615 1130->1134 1135 99d5e3 1130->1135 1131->1124 1131->1128 1132->1133 1133->1124 1134->1133 1135->1132
    APIs
    • _memset.LIBCMT ref: 00964560
      • Part of subcall function 0096410D: _memset.LIBCMT ref: 0096418D
      • Part of subcall function 0096410D: _wcscpy.LIBCMT ref: 009641E1
      • Part of subcall function 0096410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009641F1
    • KillTimer.USER32(?,00000001,?,?), ref: 009645B5
    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009645C4
    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0099D5FE
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
    • String ID:
    • API String ID: 1378193009-0
    • Opcode ID: 73a5fd55b85afae0fad1aec887fbc4bae906a0e2409de8fa8aa5c49f669543da
    • Instruction ID: 48f8b3b98f25f354caf5d58a0f431467858adc5ee52ce94923f318119de5d6a3
    • Opcode Fuzzy Hash: 73a5fd55b85afae0fad1aec887fbc4bae906a0e2409de8fa8aa5c49f669543da
    • Instruction Fuzzy Hash: 2F21FC709097849FEB328B78CC95BE7BBEC9F11308F04049EF68A56285D7741E85DB51
    Function 009673E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 0099ED92
    • GetOpenFileNameW.COMDLG32(?), ref: 0099EDDC
      • Part of subcall function 009648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009648A1,?,?,009637C0,?), ref: 009648CE
      • Part of subcall function 00980911: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00980930
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Name$Path$FileFullLongOpen_memset
    • String ID: X
    • API String ID: 3777226403-3081909835
    • Opcode ID: 951ed3964f5b18dab5d5c03380e6abadc1c7b39b39dd46ff2a144a5173723267
    • Instruction ID: 4bc8b742dddb74a92364a4f9dfdea82b895d2753ee2da4543eab55b75f62c1e7
    • Opcode Fuzzy Hash: 951ed3964f5b18dab5d5c03380e6abadc1c7b39b39dd46ff2a144a5173723267
    • Instruction Fuzzy Hash: 1A21D870A042589BCF01DFD8C845BEEBBFDAF88704F00401AE408A7241DFF859898FA1
    Function 0096F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009802E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00980313
      • Part of subcall function 009802E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 0098031B
      • Part of subcall function 009802E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00980326
      • Part of subcall function 009802E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00980331
      • Part of subcall function 009802E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00980339
      • Part of subcall function 009802E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00980341
      • Part of subcall function 00976259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0096FA90), ref: 009762B4
    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0096FB2D
    • OleInitialize.OLE32(00000000), ref: 0096FBAA
    • CloseHandle.KERNEL32(00000000), ref: 009A4921
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
    • String ID:
    • API String ID: 1986988660-0
    • Opcode ID: b5aedc73717c93cd7669cdf578eb66520399acd19af1e3b2467d0a17a91ca2f3
    • Instruction ID: 1098613809b047eb0cffa129406661b17f4e61263d75e5c339cc9d1538bf5241
    • Opcode Fuzzy Hash: b5aedc73717c93cd7669cdf578eb66520399acd19af1e3b2467d0a17a91ca2f3
    • Instruction Fuzzy Hash: 2C81CBB0D11A40CFC3A4EFBDA964639BBE6FB98316390853AD419CB261EB704587CF50
    Function 009643DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 00964401
    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 009644A6
    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 009644C3
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: IconNotifyShell_$_memset
    • String ID:
    • API String ID: 1505330794-0
    • Opcode ID: 190d72c07fb995c76c6a990c5181160b7002ace4ad67958c7c193ff632035563
    • Instruction ID: 740646f9d86899bdc2e2e8ba16b8c51ba57b4721f7aa366cca1c87d70e99193f
    • Opcode Fuzzy Hash: 190d72c07fb995c76c6a990c5181160b7002ace4ad67958c7c193ff632035563
    • Instruction Fuzzy Hash: 6E314F70905701CFD721DFB4D8857ABBBE8FB49305F00093EE59A87291EB71A945CB92
    Function 0098588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __FF_MSGBANNER.LIBCMT ref: 009858A3
      • Part of subcall function 0098A2EB: __NMSG_WRITE.LIBCMT ref: 0098A312
      • Part of subcall function 0098A2EB: __NMSG_WRITE.LIBCMT ref: 0098A31C
    • __NMSG_WRITE.LIBCMT ref: 009858AA
      • Part of subcall function 0098A348: GetModuleFileNameW.KERNEL32(00000000,00A233BA,00000104,?,00000001,00000000), ref: 0098A3DA
      • Part of subcall function 0098A348: ___crtMessageBoxW.LIBCMT ref: 0098A488
      • Part of subcall function 0098321F: ___crtCorExitProcess.LIBCMT ref: 00983225
      • Part of subcall function 0098321F: ExitProcess.KERNEL32 ref: 0098322E
      • Part of subcall function 00988CA8: __getptd_noexit.LIBCMT ref: 00988CA8
    • RtlAllocateHeap.NTDLL(00A40000,00000000,00000001,00000000,?,?,?,00980F53,?), ref: 009858CF
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
    • String ID:
    • API String ID: 1372826849-0
    • Opcode ID: 5f2706055b5e9cb9b581e46e1f48b55915904a54acff2ba2a04011059d7d60ce
    • Instruction ID: 5ce1c4a795b9dacf71362093f74b16968fb2624970173436324d986ce53b2291
    • Opcode Fuzzy Hash: 5f2706055b5e9cb9b581e46e1f48b55915904a54acff2ba2a04011059d7d60ce
    • Instruction Fuzzy Hash: F301DE32351B11EBEA2037B9AC42B2E734CDFD2760B92083BF501AB392DE749E454761
    Function 009C8DB6 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 009C8DC4
      • Part of subcall function 00982ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00989BA4), ref: 00982EE9
      • Part of subcall function 00982ED5: GetLastError.KERNEL32(00000000,?,00989BA4), ref: 00982EFB
    • _free.LIBCMT ref: 009C8DD5
    • _free.LIBCMT ref: 009C8DE7
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 33ae1c996f9c9f7cc5f494d2acb49351bd07ed813e84366d3f1e78f850c3488c
    • Instruction ID: c9213974a215391a1083c85f95b4b133d6880e2adb573931ea8a43192e6a99ad
    • Opcode Fuzzy Hash: 33ae1c996f9c9f7cc5f494d2acb49351bd07ed813e84366d3f1e78f850c3488c
    • Instruction Fuzzy Hash: 3AE012B1A0270553DA24767C6944F9313DC5F98361B14081EB40AD76C3CE24E8818338
    Function 00964DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _memmove
    • String ID: EA06
    • API String ID: 4104443479-3962188686
    • Opcode ID: 7d99fcd7544405c5f1bb2eefe14822dd3c5975aeb5347a7da9c789a6360be7e9
    • Instruction ID: eaf99e6bc2a3a654b574e35f12d78e4d474947c3b8603dabfe98b7270cf60cbd
    • Opcode Fuzzy Hash: 7d99fcd7544405c5f1bb2eefe14822dd3c5975aeb5347a7da9c789a6360be7e9
    • Instruction Fuzzy Hash: EC418F31A041589FCF235FE4C8517BF7FA6AF45300F684474F8869B282C5269D4487E2
    Function 0096492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • IsThemeActive.UXTHEME ref: 00964992
      • Part of subcall function 009834EC: __lock.LIBCMT ref: 009834F2
      • Part of subcall function 009834EC: DecodePointer.KERNEL32(00000001,?,009649A7,009B7F9C), ref: 009834FE
      • Part of subcall function 009834EC: EncodePointer.KERNEL32(?,?,009649A7,009B7F9C), ref: 00983509
      • Part of subcall function 00964A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00964A73
      • Part of subcall function 00964A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00964A88
      • Part of subcall function 00963B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00963B7A
      • Part of subcall function 00963B4C: IsDebuggerPresent.KERNEL32 ref: 00963B8C
      • Part of subcall function 00963B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00A252F8,00A252E0,?,?), ref: 00963BFD
      • Part of subcall function 00963B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00963C81
    • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 009649D2
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
    • String ID:
    • API String ID: 1438897964-0
    • Opcode ID: f100da11cce20e8846ee478f77a7c2cb8ca45df28cc308c88bc34c323858d811
    • Instruction ID: f17e34582f305fefde767df2799eae776f46098a75214a985b639aee0ea9e172
    • Opcode Fuzzy Hash: f100da11cce20e8846ee478f77a7c2cb8ca45df28cc308c88bc34c323858d811
    • Instruction Fuzzy Hash: 941190719143119BC310EFB8DD45A6AFBE8FBC4710F00852EF085872B1DB709A46CB91
    Function 00980F36 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 0098588C: __FF_MSGBANNER.LIBCMT ref: 009858A3
      • Part of subcall function 0098588C: __NMSG_WRITE.LIBCMT ref: 009858AA
      • Part of subcall function 0098588C: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001,00000000,?,?,?,00980F53,?), ref: 009858CF
    • std::exception::exception.LIBCMT ref: 00980F6C
    • __CxxThrowException@8.LIBCMT ref: 00980F81
      • Part of subcall function 0098871B: RaiseException.KERNEL32(?,?,?,00A19E78,00000000,?,?,?,?,00980F86,?,00A19E78,?,00000001), ref: 00988770
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
    • String ID:
    • API String ID: 3902256705-0
    • Opcode ID: 98f6edaabb59398a0d15d984837fcfa73a33787034a80871352d4d14e5eae263
    • Instruction ID: 4c9062a302864271d2e71173f04270ca59edaaecf38783795d29a97003e4ea4e
    • Opcode Fuzzy Hash: 98f6edaabb59398a0d15d984837fcfa73a33787034a80871352d4d14e5eae263
    • Instruction Fuzzy Hash: 18F0863550431D66C724BB54E815BEF7BACAF41310F504465FA0896381EB708A5487E1
    Function 00985516 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00988CA8: __getptd_noexit.LIBCMT ref: 00988CA8
    • __lock_file.LIBCMT ref: 0098555B
      • Part of subcall function 00986D8E: __lock.LIBCMT ref: 00986DB1
    • __fclose_nolock.LIBCMT ref: 00985566
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
    • String ID:
    • API String ID: 2800547568-0
    • Opcode ID: dde8a5b3e6995b543b935a30bf34403f8597c2cda5a4b9f195b814f911f9125e
    • Instruction ID: 4d3304f3d2efca5ff04b56aa3e75f28954934b20de8c79b5a548da9973809c34
    • Opcode Fuzzy Hash: dde8a5b3e6995b543b935a30bf34403f8597c2cda5a4b9f195b814f911f9125e
    • Instruction Fuzzy Hash: 5FF0B4B1905A00AAD7217B758C06B6F77A26FC0331F968609F414AB3C1CB7C8A459B62
    Function 00972E02 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
    Download Yara Rule
    APIs
    • timeGetTime.WINMM ref: 00972E1A
      • Part of subcall function 00970B30: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00970BBB
    • Sleep.KERNEL32(00000000), ref: 00972E53
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessagePeekSleepTimetime
    • String ID:
    • API String ID: 1792118007-0
    • Opcode ID: 3a5ac434701076e32d15f8012533d29a15140d5596ad5671cf0ca82e6d673ea2
    • Instruction ID: 0740ba7112f5483abd4e2055b471dfa5c59a7a54a06d5a0e85ed7fff071c114b
    • Opcode Fuzzy Hash: 3a5ac434701076e32d15f8012533d29a15140d5596ad5671cf0ca82e6d673ea2
    • Instruction Fuzzy Hash: 9AF01C322546119FC750EB69D855F66BBE8EF86760F00403AF86DCB362DB70AC00DB91
    Function 00964F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00964D13: FreeLibrary.KERNEL32(00000000,?), ref: 00964D4D
      • Part of subcall function 009853CB: __wfsopen.LIBCMT ref: 009853D6
    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00964F6F
      • Part of subcall function 00964CC8: FreeLibrary.KERNEL32(00000000), ref: 00964D02
      • Part of subcall function 00964DD0: _memmove.LIBCMT ref: 00964E1A
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Library$Free$Load__wfsopen_memmove
    • String ID:
    • API String ID: 1396898556-0
    • Opcode ID: c480f34a4c107db6d0c492250c80a142e9ce6b9c1bff26dc7abfbbcbfc0ed098
    • Instruction ID: 1f1c9ef2c347c104f891143fbb4ba12f232f519aa3315fa16dd6908fe89094ca
    • Opcode Fuzzy Hash: c480f34a4c107db6d0c492250c80a142e9ce6b9c1bff26dc7abfbbcbfc0ed098
    • Instruction Fuzzy Hash: E4110A31640205EBCF10BFB4CC56FAE77A99F84700F10882EF541A72C1DB759E059760
    Function 00964FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(?,?,00A252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00964FDE
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: FreeLibrary
    • String ID:
    • API String ID: 3664257935-0
    • Opcode ID: 6f7220cd39e540d788361fb9158ebb64431405a9aec3785cacc5e00147dbc502
    • Instruction ID: 82e4b58e519c8f9db39c863969ba6ab24e0515995c5eb87a6e5ac874da5de1cb
    • Opcode Fuzzy Hash: 6f7220cd39e540d788361fb9158ebb64431405a9aec3785cacc5e00147dbc502
    • Instruction Fuzzy Hash: 99F03971109712CFCB349FA4E894812BBF5AF043293208E7EE1D682610C731A844DF40
    Function 00980911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
    Download Yara Rule
    APIs
    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00980930
      • Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: LongNamePath_memmove
    • String ID:
    • API String ID: 2514874351-0
    • Opcode ID: 0e665ebd3a189e47c4f9507808e168a4701507eedfaa7160d84a53bf37b42129
    • Instruction ID: 4b47453d54f258c5f6b443401445f820f373b7cab3e9fffc296686d213ce2116
    • Opcode Fuzzy Hash: 0e665ebd3a189e47c4f9507808e168a4701507eedfaa7160d84a53bf37b42129
    • Instruction Fuzzy Hash: CBE0863690512857C720D6989C05FEAB7EDDFC8790F0401B6FD0CD7244D9619C818690
    Function 009853CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: __wfsopen
    • String ID:
    • API String ID: 197181222-0
    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
    • Instruction ID: 1391cc5d0eafef50e7fd49a98dee51164f639a629c9562f8ea6dadcc41de2609
    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
    • Instruction Fuzzy Hash: A1B0927644020CB7CE012A82EC02B493B599B807A4F408021FB0C186A2A6B3E6649689

    Non-executed Functions

    Function 009ECB26 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623
    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 009ECBA1
    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009ECBFF
    • GetWindowLongW.USER32(?,000000F0), ref: 009ECC40
    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009ECC6A
    • SendMessageW.USER32 ref: 009ECC93
    • _wcsncpy.LIBCMT ref: 009ECCFF
    • GetKeyState.USER32(00000011), ref: 009ECD20
    • GetKeyState.USER32(00000009), ref: 009ECD2D
    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009ECD43
    • GetKeyState.USER32(00000010), ref: 009ECD4D
    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009ECD76
    • SendMessageW.USER32 ref: 009ECD9D
    • SendMessageW.USER32(?,00001030,?,009EB37C), ref: 009ECEA1
    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 009ECEB7
    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 009ECECA
    • SetCapture.USER32(?), ref: 009ECED3
    • ClientToScreen.USER32(?,?), ref: 009ECF38
    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009ECF45
    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009ECF5F
    • ReleaseCapture.USER32 ref: 009ECF6A
    • GetCursorPos.USER32(?), ref: 009ECFA4
    • ScreenToClient.USER32(?,?), ref: 009ECFB1
    • SendMessageW.USER32(?,00001012,00000000,?), ref: 009ED00D
    • SendMessageW.USER32 ref: 009ED03B
    • SendMessageW.USER32(?,00001111,00000000,?), ref: 009ED078
    • SendMessageW.USER32 ref: 009ED0A7
    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 009ED0C8
    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 009ED0D7
    • GetCursorPos.USER32(?), ref: 009ED0F7
    • ScreenToClient.USER32(?,?), ref: 009ED104
    • GetParent.USER32(?), ref: 009ED124
    • SendMessageW.USER32(?,00001012,00000000,?), ref: 009ED18D
    • SendMessageW.USER32 ref: 009ED1BE
    • ClientToScreen.USER32(?,?), ref: 009ED21C
    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009ED24C
    • SendMessageW.USER32(?,00001111,00000000,?), ref: 009ED276
    • SendMessageW.USER32 ref: 009ED299
    • ClientToScreen.USER32(?,?), ref: 009ED2EB
    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 009ED31F
      • Part of subcall function 009625DB: GetWindowLongW.USER32(?,000000EB), ref: 009625EC
    • GetWindowLongW.USER32(?,000000F0), ref: 009ED3BB
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
    • String ID: @GUI_DRAGID$F
    • API String ID: 3977979337-4164748364
    • Opcode ID: 16a75b291ae5943f1de56db84695980718155639616830eb7ecb83ccae6d000e
    • Instruction ID: 2c27aabbe539ba2632b14c9965cb115de55accb48a6cb0137d15c400cfec97c4
    • Opcode Fuzzy Hash: 16a75b291ae5943f1de56db84695980718155639616830eb7ecb83ccae6d000e
    • Instruction Fuzzy Hash: 6242A070604381AFD722CF29C884BAABBF9FF49710F180929F5959B2A0C772DD52DB51
    Function 009E7E0D Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 009E8502
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: %d/%02d/%02d
    • API String ID: 3850602802-328681919
    • Opcode ID: a270abfdff3502c3de04a916554392ad7227fd35e87f13ee7ff4e0946fe65653
    • Instruction ID: 92489475fbd0f3311f76f3c6918ddd502a807589d4d4ac372a0a24f4fdc84349
    • Opcode Fuzzy Hash: a270abfdff3502c3de04a916554392ad7227fd35e87f13ee7ff4e0946fe65653
    • Instruction Fuzzy Hash: E212F270514288AFEB269FA5CC89FAB7BB8EF85710F104569F519EA2E0DF748D41CB10
    Function 009770FE Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _memmove$_memset
    • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
    • API String ID: 1357608183-1798697756
    • Opcode ID: 41b81b612a5dadd70c66ac80c06d4818128f514fa3e6e0bf06804672335b4f18
    • Instruction ID: c28976150e81357453a719607876a6c239c9708fc63b4c633893e841b0747600
    • Opcode Fuzzy Hash: 41b81b612a5dadd70c66ac80c06d4818128f514fa3e6e0bf06804672335b4f18
    • Instruction Fuzzy Hash: A593C331A00219DFDB24CF98C981BEDB7B5FF48720F24856AE959EB291E7749D81CB40
    Function 00964A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
    Download Yara Rule
    APIs
    • GetForegroundWindow.USER32(00000000,?), ref: 00964A3D
    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0099D9BE
    • IsIconic.USER32(?), ref: 0099D9C7
    • ShowWindow.USER32(?,00000009), ref: 0099D9D4
    • SetForegroundWindow.USER32(?), ref: 0099D9DE
    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0099D9F4
    • GetCurrentThreadId.KERNEL32 ref: 0099D9FB
    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0099DA07
    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0099DA18
    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0099DA20
    • AttachThreadInput.USER32(00000000,?,00000001), ref: 0099DA28
    • SetForegroundWindow.USER32(?), ref: 0099DA2B
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0099DA40
    • keybd_event.USER32(00000012,00000000), ref: 0099DA4B
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0099DA55
    • keybd_event.USER32(00000012,00000000), ref: 0099DA5A
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0099DA63
    • keybd_event.USER32(00000012,00000000), ref: 0099DA68
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0099DA72
    • keybd_event.USER32(00000012,00000000), ref: 0099DA77
    • SetForegroundWindow.USER32(?), ref: 0099DA7A
    • AttachThreadInput.USER32(?,?,00000000), ref: 0099DAA1
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
    • String ID: Shell_TrayWnd
    • API String ID: 4125248594-2988720461
    • Opcode ID: f648b6af092ecee8c2d1a2ac1f702c0ee5a787d4d51c1940e5f9a614d105e814
    • Instruction ID: c9af2d59250d6e2e78835d9c6ca19d1f44a2010b5ac01e9ae62c59ae19fafe28
    • Opcode Fuzzy Hash: f648b6af092ecee8c2d1a2ac1f702c0ee5a787d4d51c1940e5f9a614d105e814
    • Instruction Fuzzy Hash: EA317271A55358BBEF206FA59C89F7F7E6CEB44B51F104026FA04EA1D0CAB15D10BAA0
    Function 009D407C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
    Download Yara Rule
    APIs
    • OpenClipboard.USER32(009EF910), ref: 009D40A6
    • IsClipboardFormatAvailable.USER32(0000000D), ref: 009D40B4
    • GetClipboardData.USER32(0000000D), ref: 009D40BC
    • CloseClipboard.USER32 ref: 009D40C8
    • GlobalLock.KERNEL32(00000000), ref: 009D40E4
    • CloseClipboard.USER32 ref: 009D40EE
    • GlobalUnlock.KERNEL32(00000000), ref: 009D4103
    • IsClipboardFormatAvailable.USER32(00000001), ref: 009D4110
    • GetClipboardData.USER32(00000001), ref: 009D4118
    • GlobalLock.KERNEL32(00000000), ref: 009D4125
    • GlobalUnlock.KERNEL32(00000000), ref: 009D4159
    • CloseClipboard.USER32 ref: 009D4269
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
    • String ID:
    • API String ID: 3222323430-0
    • Opcode ID: d358c0aa2dc9085d312e04aa3325eb17df5305604f393b3d956af43f3d70ee73
    • Instruction ID: 11ae2717a077d9824d9da43b3aa9ce9bb20cba611c1fdd4f441bd56c363b82fe
    • Opcode Fuzzy Hash: d358c0aa2dc9085d312e04aa3325eb17df5305604f393b3d956af43f3d70ee73
    • Instruction Fuzzy Hash: 5A51BE35248346ABD311EF60DCA5F6E77A8AFC4B00F00852AF656DA2E1DF30DD059B62
    Function 009CC7E8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(?,?), ref: 009CC819
    • FindClose.KERNEL32(00000000), ref: 009CC86D
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009CC892
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009CC8A9
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 009CC8D0
    • __swprintf.LIBCMT ref: 009CC91C
    • __swprintf.LIBCMT ref: 009CC95F
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
    • __swprintf.LIBCMT ref: 009CC9B3
      • Part of subcall function 00983818: __woutput_l.LIBCMT ref: 00983871
    • __swprintf.LIBCMT ref: 009CCA01
      • Part of subcall function 00983818: __flsbuf.LIBCMT ref: 00983893
      • Part of subcall function 00983818: __flsbuf.LIBCMT ref: 009838AB
    • __swprintf.LIBCMT ref: 009CCA50
    • __swprintf.LIBCMT ref: 009CCA9F
    • __swprintf.LIBCMT ref: 009CCAEE
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
    • API String ID: 3953360268-2428617273
    • Opcode ID: 0b7b358579a636ae22cc888a6ab20aa17097da7fa64a6b55876fa1545e6867d5
    • Instruction ID: 3984c18a900926cce5e04b3b777ced4291696f3bdcdb6026968325a0fc0f7b44
    • Opcode Fuzzy Hash: 0b7b358579a636ae22cc888a6ab20aa17097da7fa64a6b55876fa1545e6867d5
    • Instruction Fuzzy Hash: 33A11EB1408344ABC710EBA4C996EAFB7ECEFD4704F44491EF595C6191EB34DA08CB62
    Function 009CF021 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 009CF042
    • _wcscmp.LIBCMT ref: 009CF057
    • _wcscmp.LIBCMT ref: 009CF06E
    • GetFileAttributesW.KERNEL32(?), ref: 009CF080
    • SetFileAttributesW.KERNEL32(?,?), ref: 009CF09A
    • FindNextFileW.KERNEL32(00000000,?), ref: 009CF0B2
    • FindClose.KERNEL32(00000000), ref: 009CF0BD
    • FindFirstFileW.KERNEL32(*.*,?), ref: 009CF0D9
    • _wcscmp.LIBCMT ref: 009CF100
    • _wcscmp.LIBCMT ref: 009CF117
    • SetCurrentDirectoryW.KERNEL32(?), ref: 009CF129
    • SetCurrentDirectoryW.KERNEL32(00A18920), ref: 009CF147
    • FindNextFileW.KERNEL32(00000000,00000010), ref: 009CF151
    • FindClose.KERNEL32(00000000), ref: 009CF15E
    • FindClose.KERNEL32(00000000), ref: 009CF170
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
    • String ID: *.*
    • API String ID: 1803514871-438819550
    • Opcode ID: 92e70b1dd2e2fad47ee5203de1794b0a7173bae560bb9dc2943322dde4451b73
    • Instruction ID: 77fc76a8c24b816c09e4742597f7a221cd7af1ad3477e6405cf10c27f58d8075
    • Opcode Fuzzy Hash: 92e70b1dd2e2fad47ee5203de1794b0a7173bae560bb9dc2943322dde4451b73
    • Instruction Fuzzy Hash: 41310532904249BACB10EBB4DCA9FEE77ADAF45360F04417AE814D31A0EB34DE45CB65
    Function 009E08E2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
    Download Yara Rule
    APIs
    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E09DE
    • RegCreateKeyExW.ADVAPI32(?,?,00000000,009EF910,00000000,?,00000000,?,?), ref: 009E0A4C
    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 009E0A94
    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 009E0B1D
    • RegCloseKey.ADVAPI32(?), ref: 009E0E3D
    • RegCloseKey.ADVAPI32(00000000), ref: 009E0E4A
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Close$ConnectCreateRegistryValue
    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
    • API String ID: 536824911-966354055
    • Opcode ID: 85b04340d892c3bf3725680fd4e6a1116b9baad43291ba4b98cc618261551b75
    • Instruction ID: 919a1ea201dcd2be2451acccccc2e3d0ff12e75e3033ce84439e2c765e99c373
    • Opcode Fuzzy Hash: 85b04340d892c3bf3725680fd4e6a1116b9baad43291ba4b98cc618261551b75
    • Instruction Fuzzy Hash: 3D0239752046419FCB15EF25C895E2AB7E9FF88724F04885DF88A9B362CB74ED41CB81
    Function 009CF17E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 009CF19F
    • _wcscmp.LIBCMT ref: 009CF1B4
    • _wcscmp.LIBCMT ref: 009CF1CB
      • Part of subcall function 009C43C6: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009C43E1
    • FindNextFileW.KERNEL32(00000000,?), ref: 009CF1FA
    • FindClose.KERNEL32(00000000), ref: 009CF205
    • FindFirstFileW.KERNEL32(*.*,?), ref: 009CF221
    • _wcscmp.LIBCMT ref: 009CF248
    • _wcscmp.LIBCMT ref: 009CF25F
    • SetCurrentDirectoryW.KERNEL32(?), ref: 009CF271
    • SetCurrentDirectoryW.KERNEL32(00A18920), ref: 009CF28F
    • FindNextFileW.KERNEL32(00000000,00000010), ref: 009CF299
    • FindClose.KERNEL32(00000000), ref: 009CF2A6
    • FindClose.KERNEL32(00000000), ref: 009CF2B8
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
    • String ID: *.*
    • API String ID: 1824444939-438819550
    • Opcode ID: 74f6adff21edab35361a9a944618464d4043031028ddba0df1fc4300ff9ad06b
    • Instruction ID: 95c4a71dc075e0388f870ad399a37cd9b81990d532fa2a2f3011da504ba451e0
    • Opcode Fuzzy Hash: 74f6adff21edab35361a9a944618464d4043031028ddba0df1fc4300ff9ad06b
    • Instruction Fuzzy Hash: 4D3105369042597ACB10ABB4DC69FDE73AEDF44360F1441BAE810A31A0DB30DF46CB55
    Function 009CA279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
    Download Yara Rule
    APIs
    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009CA299
    • __swprintf.LIBCMT ref: 009CA2BB
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 009CA2F8
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009CA31D
    • _memset.LIBCMT ref: 009CA33C
    • _wcsncpy.LIBCMT ref: 009CA378
    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009CA3AD
    • CloseHandle.KERNEL32(00000000), ref: 009CA3B8
    • RemoveDirectoryW.KERNEL32(?), ref: 009CA3C1
    • CloseHandle.KERNEL32(00000000), ref: 009CA3CB
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
    • String ID: :$\$\??\%s
    • API String ID: 2733774712-3457252023
    • Opcode ID: 3b89ef9c10a89eca331edfeabcb313a9decac08dff9d12eeed814abb7b572989
    • Instruction ID: 5c6027aecb6a193b80939053cedcdaf43fe77660400f47f2b8d39db0f2fb3cf9
    • Opcode Fuzzy Hash: 3b89ef9c10a89eca331edfeabcb313a9decac08dff9d12eeed814abb7b572989
    • Instruction Fuzzy Hash: F731E37190415AABDB20DFA0DC49FEF33BCEF88744F1041BAFA08D6160E7749A448B25
    Function 009B81D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009B852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B8546
      • Part of subcall function 009B852A: GetLastError.KERNEL32(?,009B800A,?,?,?), ref: 009B8550
      • Part of subcall function 009B852A: GetProcessHeap.KERNEL32(00000008,?,?,009B800A,?,?,?), ref: 009B855F
      • Part of subcall function 009B852A: HeapAlloc.KERNEL32(00000000,?,009B800A,?,?,?), ref: 009B8566
      • Part of subcall function 009B852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B857D
      • Part of subcall function 009B85C7: GetProcessHeap.KERNEL32(00000008,009B8020,00000000,00000000,?,009B8020,?), ref: 009B85D3
      • Part of subcall function 009B85C7: HeapAlloc.KERNEL32(00000000,?,009B8020,?), ref: 009B85DA
      • Part of subcall function 009B85C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009B8020,?), ref: 009B85EB
    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009B8238
    • _memset.LIBCMT ref: 009B824D
    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009B826C
    • GetLengthSid.ADVAPI32(?), ref: 009B827D
    • GetAce.ADVAPI32(?,00000000,?), ref: 009B82BA
    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009B82D6
    • GetLengthSid.ADVAPI32(?), ref: 009B82F3
    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009B8302
    • HeapAlloc.KERNEL32(00000000), ref: 009B8309
    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 009B832A
    • CopySid.ADVAPI32(00000000), ref: 009B8331
    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009B8362
    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009B8388
    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 009B839C
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
    • String ID:
    • API String ID: 3996160137-0
    • Opcode ID: 1054eb215a7f2ef7b4959350e45a4efb0f5553c0bf5e3e255bbd05c7be5f1257
    • Instruction ID: ce4b75f70dbb4df38fb59537ca4e1f151c01eb5ec5eca31032c9fe4a937a85a6
    • Opcode Fuzzy Hash: 1054eb215a7f2ef7b4959350e45a4efb0f5553c0bf5e3e255bbd05c7be5f1257
    • Instruction Fuzzy Hash: 12615C7190020AEFDF109F94DD84AEEBBBDFF48711F04816AF915A6291DB319E05DB60
    Function 00976841 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
    • API String ID: 0-4052911093
    • Opcode ID: 4c5d2326399fb36cea00092a37dc09a05f7d98e1fadf1526989219454f4d3932
    • Instruction ID: b68993caa0c41b98ea546d30c56555f0a1db50d0a1372bd20e8efb13319b5f48
    • Opcode Fuzzy Hash: 4c5d2326399fb36cea00092a37dc09a05f7d98e1fadf1526989219454f4d3932
    • Instruction Fuzzy Hash: 66729275E00619DBDB24CF59D8907EEB7B5FF44720F54806AE849EB290EB349E81CB90
    Function 009E0465 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009E0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DFE38,?,?), ref: 009E0EBC
    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E0537
      • Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
      • Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009E05D6
    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009E066E
    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 009E08AD
    • RegCloseKey.ADVAPI32(00000000), ref: 009E08BA
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
    • String ID:
    • API String ID: 1240663315-0
    • Opcode ID: 0bd68940a186c1a759a4c5dbf4d3de79ab58097f648805276b229f5758a86e59
    • Instruction ID: 08c34ce473dc58fc8abc3443be05a0557f154a7d9fc408bb20d20f10be61d2f6
    • Opcode Fuzzy Hash: 0bd68940a186c1a759a4c5dbf4d3de79ab58097f648805276b229f5758a86e59
    • Instruction Fuzzy Hash: B4E14C31604250AFCB15DF29C891E6ABBE8FFC9714B04896DF48ADB262DB31ED41CB51
    Function 009C003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyboardState.USER32(?), ref: 009C0062
    • GetAsyncKeyState.USER32(000000A0), ref: 009C00E3
    • GetKeyState.USER32(000000A0), ref: 009C00FE
    • GetAsyncKeyState.USER32(000000A1), ref: 009C0118
    • GetKeyState.USER32(000000A1), ref: 009C012D
    • GetAsyncKeyState.USER32(00000011), ref: 009C0145
    • GetKeyState.USER32(00000011), ref: 009C0157
    • GetAsyncKeyState.USER32(00000012), ref: 009C016F
    • GetKeyState.USER32(00000012), ref: 009C0181
    • GetAsyncKeyState.USER32(0000005B), ref: 009C0199
    • GetKeyState.USER32(0000005B), ref: 009C01AB
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: State$Async$Keyboard
    • String ID:
    • API String ID: 541375521-0
    • Opcode ID: a57ab42638ef31386709082748444bd7516fdfabe0675fc3547a57557e5ffb02
    • Instruction ID: 810e8b141730ab7ae5b4957caf3991f7dfd41603b88056758f478e0d2015e8e4
    • Opcode Fuzzy Hash: a57ab42638ef31386709082748444bd7516fdfabe0675fc3547a57557e5ffb02
    • Instruction Fuzzy Hash: 9541A624D0C7C9AAFF319A608855BB5FEA8BBA1340F0C409ED5C5461C2DB949EC4C7A3
    Function 009D84D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
      • Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C
    • CoInitialize.OLE32 ref: 009D8518
    • CoUninitialize.OLE32 ref: 009D8523
    • CoCreateInstance.OLE32(?,00000000,00000017,009F2BEC,?), ref: 009D8583
    • IIDFromString.OLE32(?,?), ref: 009D85F6
    • VariantInit.OLEAUT32(?), ref: 009D8690
    • VariantClear.OLEAUT32(?), ref: 009D86F1
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
    • API String ID: 834269672-1287834457
    • Opcode ID: ef758f4879975601de31a48dd9ce9a1e93e7d260704148ef1b02aee73b1868b8
    • Instruction ID: bf8ab652c749651dc8aefde712eb6b96c9b9f00085f9ddbe3ae69f6d453dcec4
    • Opcode Fuzzy Hash: ef758f4879975601de31a48dd9ce9a1e93e7d260704148ef1b02aee73b1868b8
    • Instruction Fuzzy Hash: 08619F70248311AFC710DF24D888B6BB7E8AF85714F44885EF9859B392DB74ED44CB92
    Function 009D427A Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
    • String ID:
    • API String ID: 1737998785-0
    • Opcode ID: 89a0f2b9761463819842caa7d3843a6c9a23f0ce9dc7b2d8288f284bb85f64a4
    • Instruction ID: 7d2467c5e637516f99c3acd13021cfe8aea6d6d7b7ed114db1d1a1dec2014414
    • Opcode Fuzzy Hash: 89a0f2b9761463819842caa7d3843a6c9a23f0ce9dc7b2d8288f284bb85f64a4
    • Instruction Fuzzy Hash: 2121BF352142109FDB10AF64DD99B6E77A8EF84720F14802BF916DB3A1CB34AD01DB54
    Function 009C3833 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009648A1,?,?,009637C0,?), ref: 009648CE
      • Part of subcall function 009C4AD8: GetFileAttributesW.KERNEL32(?,009C374F), ref: 009C4AD9
    • FindFirstFileW.KERNEL32(?,?), ref: 009C38E7
    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 009C398F
    • MoveFileW.KERNEL32(?,?), ref: 009C39A2
    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 009C39BF
    • FindNextFileW.KERNEL32(00000000,00000010), ref: 009C39E1
    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 009C39FD
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
    • String ID: \*.*
    • API String ID: 4002782344-1173974218
    • Opcode ID: 5825f161664d2e00e75ccbff746abd4c7e6b24dc5b00940be98292d9765238cf
    • Instruction ID: 3cc1610bb4c51a7990e75b0383285d28479da614a18bfde6bf196de84a31ca06
    • Opcode Fuzzy Hash: 5825f161664d2e00e75ccbff746abd4c7e6b24dc5b00940be98292d9765238cf
    • Instruction Fuzzy Hash: 49515D31C05148AACB15EBE0CEA2EEDB778AF54304F648169E44677192EF316F09CB61
    Function 009CF47F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 009CF4CC
    • Sleep.KERNEL32(0000000A), ref: 009CF4FC
    • _wcscmp.LIBCMT ref: 009CF510
    • _wcscmp.LIBCMT ref: 009CF52B
    • FindNextFileW.KERNEL32(?,?), ref: 009CF5C9
    • FindClose.KERNEL32(00000000), ref: 009CF5DF
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
    • String ID: *.*
    • API String ID: 713712311-438819550
    • Opcode ID: d03e0e24d941483ade5783de34aecb951131ca6f54b95aabb9a9ea5ed93a8b48
    • Instruction ID: 2cc30dd1093a9bd5bc6a1c88192ee8ad1797e6ff5f66a6c93c73fae295ebd090
    • Opcode Fuzzy Hash: d03e0e24d941483ade5783de34aecb951131ca6f54b95aabb9a9ea5ed93a8b48
    • Instruction Fuzzy Hash: 7441AF71D0024AABCF11DFA4CCA4BEEBBB9BF04310F14446AF914A32A1EB319E44CB51
    Function 00974140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
    • API String ID: 0-1546025612
    • Opcode ID: 6ff4593a50130df7932730f9583523b004cb9867d9b1a4b43eecc14fa7b89d6e
    • Instruction ID: beae578d13953e6eff26dfcace58f6408c5765e468bb12edca10efb3aaa03652
    • Opcode Fuzzy Hash: 6ff4593a50130df7932730f9583523b004cb9867d9b1a4b43eecc14fa7b89d6e
    • Instruction Fuzzy Hash: 0BA2B071E0421ACBDF24CF98C9817AEB7B5BF45310F24C5AAD859A7281E7349E81CF91
    Function 009758C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _memmove
    • String ID:
    • API String ID: 4104443479-0
    • Opcode ID: ddc745336dcb8c9f1244629b2176af4ee2fbcd0f320f5b458a3de018de576848
    • Instruction ID: 100589a1d2abbd9bb378175e3f409f8e8c6d7f306f3cd94df9b29471533ddbc8
    • Opcode Fuzzy Hash: ddc745336dcb8c9f1244629b2176af4ee2fbcd0f320f5b458a3de018de576848
    • Instruction Fuzzy Hash: 6312AB71A00609DFDF14DFA4CA81AEEB7F5FF88310F118669E40AA7251EB36AD11CB50
    Function 009C3B56 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009648A1,?,?,009637C0,?), ref: 009648CE
      • Part of subcall function 009C4AD8: GetFileAttributesW.KERNEL32(?,009C374F), ref: 009C4AD9
    • FindFirstFileW.KERNEL32(?,?), ref: 009C3BCD
    • DeleteFileW.KERNEL32(?,?,?,?), ref: 009C3C1D
    • FindNextFileW.KERNEL32(00000000,00000010), ref: 009C3C2E
    • FindClose.KERNEL32(00000000), ref: 009C3C45
    • FindClose.KERNEL32(00000000), ref: 009C3C4E
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
    • String ID: \*.*
    • API String ID: 2649000838-1173974218
    • Opcode ID: 38aa609ea177681dff040c30527ab1f37929756a88e427eed21b8dd017d8f478
    • Instruction ID: afeee89abe3a93b0cbd7a2740bc642ecd85cdb8cb0cd74f8455ae6d93bc5fb34
    • Opcode Fuzzy Hash: 38aa609ea177681dff040c30527ab1f37929756a88e427eed21b8dd017d8f478
    • Instruction Fuzzy Hash: BA317E3141C381ABC305EB64C8A1EAFB7E8BE95304F448E2EF4E192191DB219E09D763
    Function 009C5264 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009B8AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B8AED
      • Part of subcall function 009B8AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B8B1A
      • Part of subcall function 009B8AA3: GetLastError.KERNEL32 ref: 009B8B27
    • ExitWindowsEx.USER32(?,00000000), ref: 009C52A0
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
    • String ID: $@$SeShutdownPrivilege
    • API String ID: 2234035333-194228
    • Opcode ID: 47ea3c497e04e806678026a531ca91e17b4ddfa73f5a3aee05eedd8a481c3b37
    • Instruction ID: 7913776595896ead5d8ebd7cef786f34d8b850efd1d3f2dbbc6d727dc0b58728
    • Opcode Fuzzy Hash: 47ea3c497e04e806678026a531ca91e17b4ddfa73f5a3aee05eedd8a481c3b37
    • Instruction Fuzzy Hash: 42014731E946116BF72822689C8BFBB72DCEB08341F22052DF827D20D2D9603C80D192
    Function 009D6399 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
    Download Yara Rule
    APIs
    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009D63F2
    • WSAGetLastError.WSOCK32(00000000), ref: 009D6401
    • bind.WSOCK32(00000000,?,00000010), ref: 009D641D
    • listen.WSOCK32(00000000,00000005), ref: 009D642C
    • WSAGetLastError.WSOCK32(00000000), ref: 009D6446
    • closesocket.WSOCK32(00000000,00000000), ref: 009D645A
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ErrorLast$bindclosesocketlistensocket
    • String ID:
    • API String ID: 1279440585-0
    • Opcode ID: d2074afc839054db6837aef3fdf0bbaa93961a5cf9cac34ca055b2e7472fe15e
    • Instruction ID: c3272d1435c03d4ee63345b762dcae5b0217d67ab9fb99fe664199a8db03f7b6
    • Opcode Fuzzy Hash: d2074afc839054db6837aef3fdf0bbaa93961a5cf9cac34ca055b2e7472fe15e
    • Instruction Fuzzy Hash: 5E21D0312402009FCB00EFA4C995B6EB7EDEF84720F14816AF856AB3A1CB70AD00DB51
    Function 009B88D9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009B890A
    • OpenProcessToken.ADVAPI32(00000000), ref: 009B8911
    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009B8920
    • CloseHandle.KERNEL32(00000004), ref: 009B892B
    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009B895A
    • DestroyEnvironmentBlock.USERENV(00000000), ref: 009B896E
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
    • String ID:
    • API String ID: 1413079979-0
    • Opcode ID: 3f533df7d78eeb777f99ebcae3ff1873bcb335c3ca2ec690d5de4d686cc6f47c
    • Instruction ID: 45ac6138d3d2e1a01d7a51582abe70c90651c917dd8a4ecc0980517fe6cb3c55
    • Opcode Fuzzy Hash: 3f533df7d78eeb777f99ebcae3ff1873bcb335c3ca2ec690d5de4d686cc6f47c
    • Instruction Fuzzy Hash: 9D115972505249ABDF01CFA4ED49BEE7BADEF48358F044065FE04A6160C776CE60EB61
    Function 00975680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00980F36: std::exception::exception.LIBCMT ref: 00980F6C
      • Part of subcall function 00980F36: __CxxThrowException@8.LIBCMT ref: 00980F81
    • _memmove.LIBCMT ref: 009B05AE
    • _memmove.LIBCMT ref: 009B06C3
    • _memmove.LIBCMT ref: 009B076A
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _memmove$Exception@8Throwstd::exception::exception
    • String ID:
    • API String ID: 1300846289-0
    • Opcode ID: e90cff107ee67976261e89eb171ffacd41fef8762e32748cdee1ec43e0fb5896
    • Instruction ID: 4780ee4239d38209338fd7c26fcc22faf749b90b941280239548a5ed2fe45d94
    • Opcode Fuzzy Hash: e90cff107ee67976261e89eb171ffacd41fef8762e32748cdee1ec43e0fb5896
    • Instruction Fuzzy Hash: A802CEB1A00209DFCF14DF64D982AAEBBB5FF84310F15C069E80ADB255EB35DA11CB91
    Function 00961287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623
    • DefDlgProcW.USER32(?,?,?,?,?), ref: 009619FA
    • GetSysColor.USER32(0000000F), ref: 00961A4E
    • SetBkColor.GDI32(?,00000000), ref: 00961A61
      • Part of subcall function 00961290: DefDlgProcW.USER32(?,00000020,?), ref: 009612D8
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ColorProc$LongWindow
    • String ID:
    • API String ID: 3744519093-0
    • Opcode ID: 42a5158121abd3ea0d66b6949cd0442ba7c5a33453012e3521020f0cb010bacf
    • Instruction ID: dfe99a6bf5ddf864e113f42b91885aa6cf3cee5073b5d73c5b303ef334b5447a
    • Opcode Fuzzy Hash: 42a5158121abd3ea0d66b6949cd0442ba7c5a33453012e3521020f0cb010bacf
    • Instruction Fuzzy Hash: 5BA18E71106584BEEF38ABBDAD58E7F359DEB81386B1C091AF002D51E2CA2C9D02D271
    Function 009CBD48 Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(?,?), ref: 009CBD72
    • _wcscmp.LIBCMT ref: 009CBDA2
    • _wcscmp.LIBCMT ref: 009CBDB7
    • FindNextFileW.KERNEL32(00000000,?), ref: 009CBDC8
    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 009CBDF8
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Find$File_wcscmp$CloseFirstNext
    • String ID:
    • API String ID: 2387731787-0
    • Opcode ID: 1ac0ed39db138b85d3815347ca5d8e484a17e54929f4df39ad4ee299c344d923
    • Instruction ID: 52907439993fa8e318ae4f9e66e9307e9264f6f3940b857b7b99a497e1d18fd5
    • Opcode Fuzzy Hash: 1ac0ed39db138b85d3815347ca5d8e484a17e54929f4df39ad4ee299c344d923
    • Instruction Fuzzy Hash: B551AD75A046029FC714DF68C491FAAB3E8EF88724F10451DEA5A8B3A1DB30ED05CB92
    Function 009D685D Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009D7EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009D7ECB
    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 009D68B4
    • WSAGetLastError.WSOCK32(00000000), ref: 009D68DD
    • bind.WSOCK32(00000000,?,00000010), ref: 009D6916
    • WSAGetLastError.WSOCK32(00000000), ref: 009D6923
    • closesocket.WSOCK32(00000000,00000000), ref: 009D6937
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ErrorLast$bindclosesocketinet_addrsocket
    • String ID:
    • API String ID: 99427753-0
    • Opcode ID: 2cbb66d9d7fd9015d392bf336ac74c41ef6e6c9e635789af46cb78326b624fcb
    • Instruction ID: 7d4f5714ae7cc3aa69873336ac08d18fbee17024cd1803a72e931744666bd375
    • Opcode Fuzzy Hash: 2cbb66d9d7fd9015d392bf336ac74c41ef6e6c9e635789af46cb78326b624fcb
    • Instruction Fuzzy Hash: 4D41E231A40210AFEB10AF688D96F6E77A9DF84720F048159F90AAB3D2DA749D009791
    Function 009E53DF Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$EnabledForegroundIconicVisibleZoomed
    • String ID:
    • API String ID: 292994002-0
    • Opcode ID: 3e72651e441d7e3caa8b5b13a299d3085048f8d317c86da767b82f9e6883236a
    • Instruction ID: 90fea0de615ffc6600eecb27571d301a91deb51d492989d7ee89014e0ddf88e0
    • Opcode Fuzzy Hash: 3e72651e441d7e3caa8b5b13a299d3085048f8d317c86da767b82f9e6883236a
    • Instruction Fuzzy Hash: 5F1127317009506FE7225F27CC94B2E779DFF84726B068429F846C72A1EB70DC42C695
    Function 009DC104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,?,009A1CB7,?), ref: 009DC112
    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 009DC124
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: GetSystemWow64DirectoryW$kernel32.dll
    • API String ID: 2574300362-1816364905
    • Opcode ID: 54ba535c850a18f55a3b0b5fcacb48b4ed657e6c16f0ccd109ce1df69eb4a91e
    • Instruction ID: 81b75913a05cf27739f7bad037894ed7b0c0ebfd41373aaf71f82d491d43f9e3
    • Opcode Fuzzy Hash: 54ba535c850a18f55a3b0b5fcacb48b4ed657e6c16f0ccd109ce1df69eb4a91e
    • Instruction Fuzzy Hash: 9CE08CB8258723CFCB205B29D868A42B6E8EF08758B40C43BE889C6250E778D880C710
    Function 00973190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: __itow__swprintf
    • String ID:
    • API String ID: 674341424-0
    • Opcode ID: 98aea5b5c13a4a16c5cc3042e3155d62c5e5a50845f983d905856c8415fc1676
    • Instruction ID: b44dd19f9a14e6399f307bf589dedaaf40be9e38ceb200e67ecf6ee56771cd38
    • Opcode Fuzzy Hash: 98aea5b5c13a4a16c5cc3042e3155d62c5e5a50845f983d905856c8415fc1676
    • Instruction Fuzzy Hash: EB22AA726083019FC724DF64C892B6FB7E8AFC5710F14891DF89A97291DB75EA04CB92
    Function 009DEF21 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
    Download Yara Rule
    APIs
    • CreateToolhelp32Snapshot.KERNEL32 ref: 009DEF51
    • Process32FirstW.KERNEL32(00000000,?), ref: 009DEF5F
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
    • Process32NextW.KERNEL32(00000000,?), ref: 009DF01F
    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 009DF02E
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
    • String ID:
    • API String ID: 2576544623-0
    • Opcode ID: a6d983e6f51bfbd051136ab36eb05e803b0e1ac4739d2173477d3a79feeafb5e
    • Instruction ID: 993121e9639423005602d828e920734acbef1134bf2d58d598a9620db671637b
    • Opcode Fuzzy Hash: a6d983e6f51bfbd051136ab36eb05e803b0e1ac4739d2173477d3a79feeafb5e
    • Instruction Fuzzy Hash: 0E516D71508301AFD310EF64DC96F6BB7E8BF84710F14492EF49697291EB70A904CB92
    Function 0096FE40 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: BuffCharUpper
    • String ID:
    • API String ID: 3964851224-0
    • Opcode ID: 92ccbc3c1a2d3460a91bd914cea91971ba473aa526d5fbd4645fc7afc8b44ba5
    • Instruction ID: 49ad8c1d34f7a898b7370541d8d4fef6a005adb1bca9c9a045b3cc2ae856ef63
    • Opcode Fuzzy Hash: 92ccbc3c1a2d3460a91bd914cea91971ba473aa526d5fbd4645fc7afc8b44ba5
    • Instruction Fuzzy Hash: D6924471608341CFD724DF18C490B6ABBE5BBC9304F24896DE88A9B362D775EC45CB92
    Function 009BE928 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 009BE93A
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: lstrlen
    • String ID: ($|
    • API String ID: 1659193697-1631851259
    • Opcode ID: 9da23760daaeff6856ae38b92f48c7c86daaefcdeae9f5a4d59faf3fd5c1945a
    • Instruction ID: 3056f6e2381c6e4b6416f441d51de656ff280d668ef40fe854c9ee3d850a0fa6
    • Opcode Fuzzy Hash: 9da23760daaeff6856ae38b92f48c7c86daaefcdeae9f5a4d59faf3fd5c1945a
    • Instruction Fuzzy Hash: 0F322675A00605DFC728DF19C581AAAB7F8FF48320B15C56EE89ADB3A1E770E941CB44
    Function 009D2404 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
    Download Yara Rule
    APIs
    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009D1920,00000000), ref: 009D24F7
    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 009D252E
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Internet$AvailableDataFileQueryRead
    • String ID:
    • API String ID: 599397726-0
    • Opcode ID: 99c4af302dfc90687dbbdfeea6686129b0c77aa70f41f0729c554654493b2daa
    • Instruction ID: cf450bbec5ebc5aff4df1566f1f2733262a9a4016ea70566054f41b3f200cfc0
    • Opcode Fuzzy Hash: 99c4af302dfc90687dbbdfeea6686129b0c77aa70f41f0729c554654493b2daa
    • Instruction Fuzzy Hash: FA41E271548209BFEB20DF94DC95FBBB7ACEBA0324F10C42BFA05A7350DA719E419660
    Function 009CB3BF Relevance: 4.6, APIs: 3, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00000001), ref: 009CB3CF
    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009CB429
    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 009CB476
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ErrorMode$DiskFreeSpace
    • String ID:
    • API String ID: 1682464887-0
    • Opcode ID: 6d8b808b3ffabcfd31b53451b85b9e5c05a44ab0f25b7d371ece057b261c443c
    • Instruction ID: 105f738fdc0b5e6e243406904879b006727042dc67e684b7c625029401d1cef1
    • Opcode Fuzzy Hash: 6d8b808b3ffabcfd31b53451b85b9e5c05a44ab0f25b7d371ece057b261c443c
    • Instruction Fuzzy Hash: 79213035A10518EFCB00EFA5D895FEDBBB8FF88310F1480AAE905AB361DB319915DB51
    Function 009B8AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00980F36: std::exception::exception.LIBCMT ref: 00980F6C
      • Part of subcall function 00980F36: __CxxThrowException@8.LIBCMT ref: 00980F81
    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009B8AED
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009B8B1A
    • GetLastError.KERNEL32 ref: 009B8B27
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
    • String ID:
    • API String ID: 1922334811-0
    • Opcode ID: 6c2317e2f1524498dc0ee4c13694643fc44051ea34268b96ee761275bd217762
    • Instruction ID: 50420d9c9f7aa200750302a432529f28d1778b27519d02c583d97ff8aa3d8028
    • Opcode Fuzzy Hash: 6c2317e2f1524498dc0ee4c13694643fc44051ea34268b96ee761275bd217762
    • Instruction Fuzzy Hash: 5811BFB1524205AFD728AF64DCC5D6BB7BCFB84720B20816EF44597251EB30AC04CB60
    Function 009C4A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
    Download Yara Rule
    APIs
    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 009C4A31
    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009C4A48
    • FreeSid.ADVAPI32(?), ref: 009C4A58
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AllocateCheckFreeInitializeMembershipToken
    • String ID:
    • API String ID: 3429775523-0
    • Opcode ID: a00ca5f2068f7a644b2f4bc46b22b49b23eaf811c60ae8576667ec3fbf94944b
    • Instruction ID: 2ab0cb7bad6852541db84ad8241b40b98f60a2d2f8ff3cef702d77a89939d34b
    • Opcode Fuzzy Hash: a00ca5f2068f7a644b2f4bc46b22b49b23eaf811c60ae8576667ec3fbf94944b
    • Instruction Fuzzy Hash: C7F04975A5130CBFDF00DFF0DC99AAEBBBCEF08311F0044A9A901E6581E670AA049B50
    Function 009C449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNEL32(?,0099E6F1), ref: 009C44AB
    • FindFirstFileW.KERNEL32(?,?), ref: 009C44BC
    • FindClose.KERNEL32(00000000), ref: 009C44CC
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: FileFind$AttributesCloseFirst
    • String ID:
    • API String ID: 48322524-0
    • Opcode ID: e899de5eaeca55b0f366d6897d68df5dd6f9541e44f87d443a217565015a93f0
    • Instruction ID: 4871bc68ec3610732fc3ab36f8b843e2472f472df2e9fab5feb3151d087b2e8b
    • Opcode Fuzzy Hash: e899de5eaeca55b0f366d6897d68df5dd6f9541e44f87d443a217565015a93f0
    • Instruction Fuzzy Hash: C7E0D832D24500975214A738EC5D9E9779CAF05375F20471AF935C11E0E7745D109596
    Function 0096E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a4e0624fd50d07bfc6ac67afd0f9babc681efa76a2aac4c3ac0c4602024d4dfd
    • Instruction ID: 406431cb164d36b7c5eef88138175b62da31398d0429aedec0074ec3e35b3eb5
    • Opcode Fuzzy Hash: a4e0624fd50d07bfc6ac67afd0f9babc681efa76a2aac4c3ac0c4602024d4dfd
    • Instruction Fuzzy Hash: 4C22CB78A00216CFDB24DF68C490BAEB7F5FF49310F148469E856AB391E734AD85CB91
    Function 009CC75D Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(?,?), ref: 009CC787
    • FindClose.KERNEL32(00000000), ref: 009CC7B7
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Find$CloseFileFirst
    • String ID:
    • API String ID: 2295610775-0
    • Opcode ID: 16f419d6f5a848d2f4fc386c27d69379965d73af505db3b7377192aff37063c3
    • Instruction ID: 06babffc02ee705a82602f31c99b1c367ad032eacb805f56d074b565b2cff061
    • Opcode Fuzzy Hash: 16f419d6f5a848d2f4fc386c27d69379965d73af505db3b7377192aff37063c3
    • Instruction Fuzzy Hash: B0118E726102009FD710DF69C895A2AF7E8EF84320F04851EF9A99B390DB30AC00CB81
    Function 009CA0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,009D957D,?,009EFB84,?), ref: 009CA121
    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,009D957D,?,009EFB84,?), ref: 009CA133
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ErrorFormatLastMessage
    • String ID:
    • API String ID: 3479602957-0
    • Opcode ID: 765fa241cd30e4f4a164cf1883bbab1656f0b16c645f816e9cbdb4ac19ad3444
    • Instruction ID: efbf478fde4202dde93fa67eda768b4bed9038b26b13142cf1c54428baa602b4
    • Opcode Fuzzy Hash: 765fa241cd30e4f4a164cf1883bbab1656f0b16c645f816e9cbdb4ac19ad3444
    • Instruction Fuzzy Hash: 18F0823551922DBBDB109FA4CC48FEA776CFF08365F00426AB919D6181D6309940CBA1
    Function 009B84F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
    Download Yara Rule
    APIs
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009B8631), ref: 009B8508
    • CloseHandle.KERNEL32(?,?,009B8631), ref: 009B851A
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AdjustCloseHandlePrivilegesToken
    • String ID:
    • API String ID: 81990902-0
    • Opcode ID: 42521a4cf68f19695671c13b7b15e418d6b97ef53bf112ea2238f3c47aa63d0c
    • Instruction ID: 26f33d7a02c70415cf77d1651b2ad7c6b1f5d82235ef33c1b6a1ae0cffea2f3d
    • Opcode Fuzzy Hash: 42521a4cf68f19695671c13b7b15e418d6b97ef53bf112ea2238f3c47aa63d0c
    • Instruction Fuzzy Hash: 51E04632018600AEE7212B20EC08E777BADFB84324710882AB59680470DB62ACA0EB50
    Function 0098A2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00988ED7,?,?,?,00000001), ref: 0098A2DA
    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0098A2E3
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 1f23e07f061ec9f75a214494c522f286d81390d761a4b28c8da7c5f1d7d91d18
    • Instruction ID: b375820613e388b1bcc7d30d6db36706ca7af97ae1e3b1b473cd6f834c42af6a
    • Opcode Fuzzy Hash: 1f23e07f061ec9f75a214494c522f286d81390d761a4b28c8da7c5f1d7d91d18
    • Instruction Fuzzy Hash: F3B09231068248ABCA002B91EC59B883F68EB44BE2F405022F60D88464CB625950AA91
    Function 0096E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
    Download Yara Rule
    Strings
    • Variable must be of type 'Object'., xrefs: 009A41BB
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID: Variable must be of type 'Object'.
    • API String ID: 0-109567571
    • Opcode ID: 193e5fc1df29966a54fe91667f4b34127cc08df8de40dded7a005071fcac0f7e
    • Instruction ID: 6c1837dbee27c7c3c9e11da03c859899ee4e9c254ffe3f54fa95a22e0f98e435
    • Opcode Fuzzy Hash: 193e5fc1df29966a54fe91667f4b34127cc08df8de40dded7a005071fcac0f7e
    • Instruction Fuzzy Hash: D5A2CE78E04205CFCB24CF98C490AAEB7B5FF99300F648469E906AB351D775ED42CB90
    Function 0098F359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7007007886ee81422a9fd413cd21b3b009ccf8e2dd96114c1cea29e0f7e8c159
    • Instruction ID: 36314b3202d745a785dd739a97530feae18fcd4469882e86db98c2223a5bfc77
    • Opcode Fuzzy Hash: 7007007886ee81422a9fd413cd21b3b009ccf8e2dd96114c1cea29e0f7e8c159
    • Instruction Fuzzy Hash: 3632F622D29F414DD723A634D832336A24DAFB73D5F15D737E81AB5AA5EB29C4839200
    Function 009925AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2f1837621fa6e9ded62f19e19a7c950c60271d9c3c607ead3761c5bac646a495
    • Instruction ID: 63ee82444adf5892a6f92c01ba1cca86c361bd7f05628b75f9229545b8bdfa29
    • Opcode Fuzzy Hash: 2f1837621fa6e9ded62f19e19a7c950c60271d9c3c607ead3761c5bac646a495
    • Instruction Fuzzy Hash: 69B1FE61E3AF414DD72396398831336BA4CAFBB2C5F52D71BFC2A74D62EB2185839141
    Function 009C8932 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • __time64.LIBCMT ref: 009C8944
      • Part of subcall function 0098537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009C9017,00000000,?,?,?,?,009C91C8,00000000,?), ref: 00985383
      • Part of subcall function 0098537A: __aulldiv.LIBCMT ref: 009853A3
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Time$FileSystem__aulldiv__time64
    • String ID:
    • API String ID: 2893107130-0
    • Opcode ID: 9244b48db0bbcccfcee55519b49071a4f3a547d53ec4c1391e4f4ff9d7fb162e
    • Instruction ID: 70daaebff9b68fb990bc0a3de07220ed290cc9140cc916e47bdfcce3f0559724
    • Opcode Fuzzy Hash: 9244b48db0bbcccfcee55519b49071a4f3a547d53ec4c1391e4f4ff9d7fb162e
    • Instruction Fuzzy Hash: 6A218472A35510CBC729CF69D441B62B3E5EFA5310B298E6CD1F6CB2D0CA74B906CB54
    Function 009D401F Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
    Download Yara Rule
    APIs
    • BlockInput.USER32(00000001), ref: 009D403A
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: BlockInput
    • String ID:
    • API String ID: 3456056419-0
    • Opcode ID: e342176eaf20cd819affd4487e157091f183426f84530aa062cbb26726586cd9
    • Instruction ID: 4206ed7294eb5dee94b94e0a1cdfba9c3d50965cf9530df59879f334b541ba0d
    • Opcode Fuzzy Hash: e342176eaf20cd819affd4487e157091f183426f84530aa062cbb26726586cd9
    • Instruction Fuzzy Hash: B7E04F322502149FC710AF99D844B9AFBECAFA47A0F00C426FD4ADB351DA74EC408F90
    Function 009C4CCE Relevance: 1.5, APIs: 1, Instructions: 24COMMON
    Download Yara Rule
    APIs
    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 009C4CF1
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: mouse_event
    • String ID:
    • API String ID: 2434400541-0
    • Opcode ID: 64283371e04b63588653ce530d1f72d528bd6197478e1c96af15c8d9e6b9264c
    • Instruction ID: 9d8fcf1fb0708baf6daca34d07816df03cf35903b37dbb28fd4439ea392527b4
    • Opcode Fuzzy Hash: 64283371e04b63588653ce530d1f72d528bd6197478e1c96af15c8d9e6b9264c
    • Instruction Fuzzy Hash: 34D09EADBE6A4579FD1807209D3FFF6110CF3407D1F94556DB192891E1DA956C846033
    Function 009B8A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,009B86B1), ref: 009B8A93
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: LogonUser
    • String ID:
    • API String ID: 1244722697-0
    • Opcode ID: fb761865c63eb4cd9929f60b77a9fd73f89dea5a171697e43538f8f1b80b63bb
    • Instruction ID: 99532635f30f66b7f70e186f5228f6bb9e0f91bbfdd4c2a6d441914d6dcd0281
    • Opcode Fuzzy Hash: fb761865c63eb4cd9929f60b77a9fd73f89dea5a171697e43538f8f1b80b63bb
    • Instruction Fuzzy Hash: F9D05E3226450EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60
    Function 009A215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
    Download Yara Rule
    APIs
    • GetUserNameW.ADVAPI32(?,?), ref: 009A2171
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: NameUser
    • String ID:
    • API String ID: 2645101109-0
    • Opcode ID: 6c22ae550432b20701625cd2f2a2684a533047a445a1352483c0ca8a135b96fd
    • Instruction ID: 9a85d839b8c394e9afa943d0f1162c1eb07ee33e62737812c561c48cdadaf03f
    • Opcode Fuzzy Hash: 6c22ae550432b20701625cd2f2a2684a533047a445a1352483c0ca8a135b96fd
    • Instruction Fuzzy Hash: F7C048F1815109DBCB05EBA0DA98EEEB7BCEB08305F2044A6A102F2140D7789B449BB1
    Function 0098A2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0098A2AA
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 03a75d729792e32bee31cfa5527d2266c1aa359e4542042e4313e409861cb6b5
    • Instruction ID: c8dd1e3677460e740a3d9b70be39f0783b1f066ef2bea4c5bbbfc2e740a5aa7c
    • Opcode Fuzzy Hash: 03a75d729792e32bee31cfa5527d2266c1aa359e4542042e4313e409861cb6b5
    • Instruction Fuzzy Hash: 9FA0123001410CA78A001B41EC044447F5CD6002D07004021F40C44021873258105580
    Function 00978968 Relevance: .6, Instructions: 590COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 63db32757d1c6c23dc2b36835b118dde285abd08dc30eb1c25409e7e825991d6
    • Instruction ID: 323c3b356418dde19f5fd27382b7b8372b2ae5ed71e02f570e25ef424b2ee4eb
    • Opcode Fuzzy Hash: 63db32757d1c6c23dc2b36835b118dde285abd08dc30eb1c25409e7e825991d6
    • Instruction Fuzzy Hash: 68226872A44606CBDF38CE68C5987BEB7A9FB41310F29C46AD85A8B5A1DB34DD81C740
    Function 00982345 Relevance: .3, Instructions: 345COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
    • Instruction ID: b2ef65401cb6e1b7392a262779a062b4b99c273b110358a1392f45203301d726
    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
    • Instruction Fuzzy Hash: 27C184322051930ADB2D5739843403EBFE99AA27B231A076EE4B3CB2D5FF24D525D720
    Function 0098277A Relevance: .3, Instructions: 341COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
    • Instruction ID: a6d7724609258f33dd6bd14b90ab732726cb0d9e942886737b7b784f4667a506
    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
    • Instruction Fuzzy Hash: 84C16F322151930ADF2D573A843413EBFE99EA27B231A076DE4B2DB2D4EF24C525D720
    Function 00981AF8 Relevance: .3, Instructions: 323COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
    • Instruction ID: d2873824f043837f69dcb3e8ba1d3dcdbb21f89bb59ebb1da56bbae53c6d162a
    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
    • Instruction Fuzzy Hash: 09C180322051930ADF2D5639C43453EBEED9AA27B231A076DE4B3CB2D5EF20C566D720
    Function 009E35D4 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
    Download Yara Rule
    APIs
    • CharUpperBuffW.USER32(?,?,009EF910), ref: 009E3690
    • IsWindowVisible.USER32(?), ref: 009E36B4
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: BuffCharUpperVisibleWindow
    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
    • API String ID: 4105515805-45149045
    • Opcode ID: 4ded193b64ffe69553c2d15008a3f66212bbe281409dc8e77c974e000250eccf
    • Instruction ID: f94f90fae17874a019c5c6af213425cb2ee457510e889e1b9d8c3bc5b2cb5015
    • Opcode Fuzzy Hash: 4ded193b64ffe69553c2d15008a3f66212bbe281409dc8e77c974e000250eccf
    • Instruction Fuzzy Hash: 45D1AF302142419BCB15FF11C5A5BAA77AAAFD4754F04886CF8D65B3E2CB31EE4ACB41
    Function 009EA60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON
    Download Yara Rule
    APIs
    • SetTextColor.GDI32(?,00000000), ref: 009EA662
    • GetSysColorBrush.USER32(0000000F), ref: 009EA693
    • GetSysColor.USER32(0000000F), ref: 009EA69F
    • SetBkColor.GDI32(?,000000FF), ref: 009EA6B9
    • SelectObject.GDI32(?,00000000), ref: 009EA6C8
    • InflateRect.USER32(?,000000FF,000000FF), ref: 009EA6F3
    • GetSysColor.USER32(00000010), ref: 009EA6FB
    • CreateSolidBrush.GDI32(00000000), ref: 009EA702
    • FrameRect.USER32(?,?,00000000), ref: 009EA711
    • DeleteObject.GDI32(00000000), ref: 009EA718
    • InflateRect.USER32(?,000000FE,000000FE), ref: 009EA763
    • FillRect.USER32(?,?,00000000), ref: 009EA795
    • GetWindowLongW.USER32(?,000000F0), ref: 009EA7C0
      • Part of subcall function 009EA8FC: GetSysColor.USER32(00000012), ref: 009EA935
      • Part of subcall function 009EA8FC: SetTextColor.GDI32(?,?), ref: 009EA939
      • Part of subcall function 009EA8FC: GetSysColorBrush.USER32(0000000F), ref: 009EA94F
      • Part of subcall function 009EA8FC: GetSysColor.USER32(0000000F), ref: 009EA95A
      • Part of subcall function 009EA8FC: GetSysColor.USER32(00000011), ref: 009EA977
      • Part of subcall function 009EA8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009EA985
      • Part of subcall function 009EA8FC: SelectObject.GDI32(?,00000000), ref: 009EA996
      • Part of subcall function 009EA8FC: SetBkColor.GDI32(?,00000000), ref: 009EA99F
      • Part of subcall function 009EA8FC: SelectObject.GDI32(?,?), ref: 009EA9AC
      • Part of subcall function 009EA8FC: InflateRect.USER32(?,000000FF,000000FF), ref: 009EA9CB
      • Part of subcall function 009EA8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009EA9E2
      • Part of subcall function 009EA8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 009EA9F7
      • Part of subcall function 009EA8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009EAA1F
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
    • String ID:
    • API String ID: 3521893082-0
    • Opcode ID: a93e6acdd65210c5e27ec57a8dfd50f481b25382d921f735520977a17e62de5c
    • Instruction ID: 5e761d240d46a8f30a10563e16070bc7fb1aff28d46bf0b2dfcc18edf2a3a034
    • Opcode Fuzzy Hash: a93e6acdd65210c5e27ec57a8dfd50f481b25382d921f735520977a17e62de5c
    • Instruction Fuzzy Hash: FD91BE72418381EFDB119F64DC48A6B7BB9FF89321F100A2AF5629A1A1C731ED44DB52
    Function 00962C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
    Download Yara Rule
    APIs
    • DestroyWindow.USER32(?,?,?), ref: 00962CA2
    • DeleteObject.GDI32(00000000), ref: 00962CE8
    • DeleteObject.GDI32(00000000), ref: 00962CF3
    • DestroyIcon.USER32(00000000,?,?,?), ref: 00962CFE
    • DestroyWindow.USER32(00000000,?,?,?), ref: 00962D09
    • SendMessageW.USER32(?,00001308,?,00000000), ref: 0099C5BB
    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0099C5F4
    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0099CA1D
      • Part of subcall function 00961B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00962036,?,00000000,?,?,?,?,009616CB,00000000,?), ref: 00961B9A
    • SendMessageW.USER32(?,00001053), ref: 0099CA5A
    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0099CA71
    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0099CA87
    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0099CA92
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
    • String ID: 0
    • API String ID: 464785882-4108050209
    • Opcode ID: 4a5edd69c116a55f1be91fd2b7d013eafb2a8b0079b535e07217d7292e0c0625
    • Instruction ID: dfc19975e8ce2fc80065e3132d3f4ad3e1b967996e88eab82eff378e8b99d216
    • Opcode Fuzzy Hash: 4a5edd69c116a55f1be91fd2b7d013eafb2a8b0079b535e07217d7292e0c0625
    • Instruction Fuzzy Hash: 5612AD70604641EFDB24CF28C894BA9B7E9FF48311F5445AAF985CB262CB35EC42DB91
    Function 009D75C0 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
    Download Yara Rule
    APIs
    • DestroyWindow.USER32(00000000), ref: 009D75F3
    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009D76B2
    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009D76F0
    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 009D7702
    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 009D7748
    • GetClientRect.USER32(00000000,?), ref: 009D7754
    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 009D7798
    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009D77A7
    • GetStockObject.GDI32(00000011), ref: 009D77B7
    • SelectObject.GDI32(00000000,00000000), ref: 009D77BB
    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009D77CB
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009D77D4
    • DeleteDC.GDI32(00000000), ref: 009D77DD
    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009D7809
    • SendMessageW.USER32(00000030,00000000,00000001), ref: 009D7820
    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 009D785B
    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009D786F
    • SendMessageW.USER32(00000404,00000001,00000000), ref: 009D7880
    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 009D78B0
    • GetStockObject.GDI32(00000011), ref: 009D78BB
    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009D78C6
    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 009D78D0
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
    • API String ID: 2910397461-517079104
    • Opcode ID: 98e444325c2e3e5cfb3f62c751baeff7b4dc68580d7474b056f372d7dfe871ba
    • Instruction ID: 1e0754c92d434322a6f62f3be368759ebdad409b01a43b8d0d6232be679bae60
    • Opcode Fuzzy Hash: 98e444325c2e3e5cfb3f62c751baeff7b4dc68580d7474b056f372d7dfe871ba
    • Instruction Fuzzy Hash: 8CA18471A50619BFEB14DBA8DD4AFBE7BB9EB44710F108115FA14AB2E0D770AD01CB60
    Function 009CAD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00000001), ref: 009CADAA
    • GetDriveTypeW.KERNEL32(?,009EFAC0,?,\\.\,009EF910), ref: 009CAE87
    • SetErrorMode.KERNEL32(00000000,009EFAC0,?,\\.\,009EF910), ref: 009CAFE5
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ErrorMode$DriveType
    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
    • API String ID: 2907320926-4222207086
    • Opcode ID: 3f2981cc24c0186ea6b192d4902767dfaacfb16d1d2d0bea505df75304e81854
    • Instruction ID: 479347c0905085c2451e9f739f3b34725c4fa321f6883a2775e4d31b5d24bccc
    • Opcode Fuzzy Hash: 3f2981cc24c0186ea6b192d4902767dfaacfb16d1d2d0bea505df75304e81854
    • Instruction Fuzzy Hash: 4C5171B4E4820DABCB00DB50D9D2FADB775BF44748720885EE906A72D1CB399D41DB93
    Function 00966A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: __wcsnicmp
    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
    • API String ID: 1038674560-86951937
    • Opcode ID: 8aa523bdb7f6e7676a27f972ffbf60398f875730001fa51317b4c50da6cb51f0
    • Instruction ID: 7bd2c4600fa1d357995fae76819cacb4d9571876ca14a01c3712a6bfa5afa9c9
    • Opcode Fuzzy Hash: 8aa523bdb7f6e7676a27f972ffbf60398f875730001fa51317b4c50da6cb51f0
    • Instruction Fuzzy Hash: A5812370604205FBDF20FFA5CC92FAE776CAF95B04F044025F945AA292EB61EE51C3A1
    Function 009E9A4E Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
    Download Yara Rule
    APIs
    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 009E9B04
    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 009E9BBD
    • SendMessageW.USER32(?,00001102,00000002,?), ref: 009E9BD9
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$Window
    • String ID: 0
    • API String ID: 2326795674-4108050209
    • Opcode ID: 9202680b3a55b20d23363ca1eba2328335686aa642e50e11ea94a6580dea152e
    • Instruction ID: 6fcf6cf07cf465c1d564d9f64b1180ac10c4c7ad9785a07062c050b094c0a78e
    • Opcode Fuzzy Hash: 9202680b3a55b20d23363ca1eba2328335686aa642e50e11ea94a6580dea152e
    • Instruction Fuzzy Hash: D102E330108381AFD726CF26C898BAABBE9FF49714F04892DF599DA2A1C734DD44DB51
    Function 009EA8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
    Download Yara Rule
    APIs
    • GetSysColor.USER32(00000012), ref: 009EA935
    • SetTextColor.GDI32(?,?), ref: 009EA939
    • GetSysColorBrush.USER32(0000000F), ref: 009EA94F
    • GetSysColor.USER32(0000000F), ref: 009EA95A
    • CreateSolidBrush.GDI32(?), ref: 009EA95F
    • GetSysColor.USER32(00000011), ref: 009EA977
    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 009EA985
    • SelectObject.GDI32(?,00000000), ref: 009EA996
    • SetBkColor.GDI32(?,00000000), ref: 009EA99F
    • SelectObject.GDI32(?,?), ref: 009EA9AC
    • InflateRect.USER32(?,000000FF,000000FF), ref: 009EA9CB
    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009EA9E2
    • GetWindowLongW.USER32(00000000,000000F0), ref: 009EA9F7
    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009EAA1F
    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 009EAA46
    • InflateRect.USER32(?,000000FD,000000FD), ref: 009EAA64
    • DrawFocusRect.USER32(?,?), ref: 009EAA6F
    • GetSysColor.USER32(00000011), ref: 009EAA7D
    • SetTextColor.GDI32(?,00000000), ref: 009EAA85
    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 009EAA99
    • SelectObject.GDI32(?,009EA62C), ref: 009EAAB0
    • DeleteObject.GDI32(?), ref: 009EAABB
    • SelectObject.GDI32(?,?), ref: 009EAAC1
    • DeleteObject.GDI32(?), ref: 009EAAC6
    • SetTextColor.GDI32(?,?), ref: 009EAACC
    • SetBkColor.GDI32(?,?), ref: 009EAAD6
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
    • String ID:
    • API String ID: 1996641542-0
    • Opcode ID: f4a0daabc50655c30d6384bb3bc4c3e1c23ec6fb3aaea1a17214636f8bdb203f
    • Instruction ID: d6da4967f5cbb26898acb33cddc360333c6fa48a67cc81f512a7495c0643bb71
    • Opcode Fuzzy Hash: f4a0daabc50655c30d6384bb3bc4c3e1c23ec6fb3aaea1a17214636f8bdb203f
    • Instruction Fuzzy Hash: C9515C71904248FFDF119FA5DC88EAEBB79EB48320F114626F911AB2A1D7719D40DF50
    Function 009E8A07 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 009E8AF3
    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E8B04
    • CharNextW.USER32(0000014E), ref: 009E8B33
    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 009E8B74
    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 009E8B8A
    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E8B9B
    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 009E8BB8
    • SetWindowTextW.USER32(?,0000014E), ref: 009E8C0A
    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 009E8C20
    • SendMessageW.USER32(?,00001002,00000000,?), ref: 009E8C51
    • _memset.LIBCMT ref: 009E8C76
    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 009E8CBF
    • _memset.LIBCMT ref: 009E8D1E
    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 009E8D48
    • SendMessageW.USER32(?,00001074,?,00000001), ref: 009E8DA0
    • SendMessageW.USER32(?,0000133D,?,?), ref: 009E8E4D
    • InvalidateRect.USER32(?,00000000,00000001), ref: 009E8E6F
    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009E8EB9
    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009E8EE6
    • DrawMenuBar.USER32(?), ref: 009E8EF5
    • SetWindowTextW.USER32(?,0000014E), ref: 009E8F1D
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
    • String ID: 0
    • API String ID: 1073566785-4108050209
    • Opcode ID: 9e9a5a647023608247d45035c64432718cb583451ce6aa2ff9b78e62f1036dc2
    • Instruction ID: 16df2453fc42cdd6db136bb05c4fe3f517e3973b96f4b8bb0c815121ae777f14
    • Opcode Fuzzy Hash: 9e9a5a647023608247d45035c64432718cb583451ce6aa2ff9b78e62f1036dc2
    • Instruction Fuzzy Hash: 25E18270900288ABDF219F96CC84EEF7B79FF05750F108566F919AA291DB748E81DF60
    Function 009E48F8 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(?), ref: 009E4A33
    • GetDesktopWindow.USER32 ref: 009E4A48
    • GetWindowRect.USER32(00000000), ref: 009E4A4F
    • GetWindowLongW.USER32(?,000000F0), ref: 009E4AB1
    • DestroyWindow.USER32(?), ref: 009E4ADD
    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009E4B06
    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009E4B24
    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 009E4B4A
    • SendMessageW.USER32(?,00000421,?,?), ref: 009E4B5F
    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 009E4B72
    • IsWindowVisible.USER32(?), ref: 009E4B92
    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 009E4BAD
    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 009E4BC1
    • GetWindowRect.USER32(?,?), ref: 009E4BD9
    • MonitorFromPoint.USER32(?,?,00000002), ref: 009E4BFF
    • GetMonitorInfoW.USER32(00000000,?), ref: 009E4C19
    • CopyRect.USER32(?,?), ref: 009E4C30
    • SendMessageW.USER32(?,00000412,00000000), ref: 009E4C9B
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
    • String ID: ($0$tooltips_class32
    • API String ID: 698492251-4156429822
    • Opcode ID: 39ad43c825422b3bbe109f38757e78d1c99ea32ff096d4757a020af0f2749390
    • Instruction ID: d644c14579d8b0f9581a5fb22dabc25b359927a79f70c5dff2661031f6d4f190
    • Opcode Fuzzy Hash: 39ad43c825422b3bbe109f38757e78d1c99ea32ff096d4757a020af0f2749390
    • Instruction Fuzzy Hash: CCB19071608381AFDB05DF65C888B6ABBE8FF88710F00892DF5999B291D775EC04CB56
    Function 009C44DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
    Download Yara Rule
    APIs
    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 009C44ED
    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009C4513
    • _wcscpy.LIBCMT ref: 009C4541
    • _wcscmp.LIBCMT ref: 009C454C
    • _wcscat.LIBCMT ref: 009C4562
    • _wcsstr.LIBCMT ref: 009C456D
    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 009C4589
    • _wcscat.LIBCMT ref: 009C45D2
    • _wcscat.LIBCMT ref: 009C45D9
    • _wcsncpy.LIBCMT ref: 009C4604
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
    • API String ID: 699586101-1459072770
    • Opcode ID: c37d78a092175873f1cd57fc63572f90969b3e8c14ef77c4436d1a4a16ac29b4
    • Instruction ID: 3eb5a8218f7e13e589accae1394a6da9582ef3d487610af897a430a40128e58c
    • Opcode Fuzzy Hash: c37d78a092175873f1cd57fc63572f90969b3e8c14ef77c4436d1a4a16ac29b4
    • Instruction Fuzzy Hash: 83412732A042007BDB11BB648C43FBF77ACEFC1710F04402AF904E6282EB359A0197A9
    Function 009627D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
    Download Yara Rule
    APIs
    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009628BC
    • GetSystemMetrics.USER32(00000007), ref: 009628C4
    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009628EF
    • GetSystemMetrics.USER32(00000008), ref: 009628F7
    • GetSystemMetrics.USER32(00000004), ref: 0096291C
    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00962939
    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00962949
    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0096297C
    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00962990
    • GetClientRect.USER32(00000000,000000FF), ref: 009629AE
    • GetStockObject.GDI32(00000011), ref: 009629CA
    • SendMessageW.USER32(00000000,00000030,00000000), ref: 009629D5
      • Part of subcall function 00962344: GetCursorPos.USER32(?), ref: 00962357
      • Part of subcall function 00962344: ScreenToClient.USER32(00A257B0,?), ref: 00962374
      • Part of subcall function 00962344: GetAsyncKeyState.USER32(00000001), ref: 00962399
      • Part of subcall function 00962344: GetAsyncKeyState.USER32(00000002), ref: 009623A7
    • SetTimer.USER32(00000000,00000000,00000028,00961256), ref: 009629FC
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
    • String ID: AutoIt v3 GUI
    • API String ID: 1458621304-248962490
    • Opcode ID: 61e45a4dfbffbe3832c0d4cc81f82ae26aeb6653e96968fc9bcd68da79d0250e
    • Instruction ID: 7afb20e1773002a098af568828e6d1e05716de93481c124c5a4637d6ebba4fc9
    • Opcode Fuzzy Hash: 61e45a4dfbffbe3832c0d4cc81f82ae26aeb6653e96968fc9bcd68da79d0250e
    • Instruction Fuzzy Hash: 48B16E71A0064AEFDF14DFA8DC95BAD7BB4FB48310F108229FA15AB2A0DB74D941DB50
    Function 009E3E4B Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
    Download Yara Rule
    APIs
    • CharUpperBuffW.USER32(?,?), ref: 009E3ED8
    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009E3F98
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: BuffCharMessageSendUpper
    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
    • API String ID: 3974292440-719923060
    • Opcode ID: 99a35cc7b919dcb22f7f7deb227e25f30b5d3c18b92ff66c1c82086e691d65ae
    • Instruction ID: da4005d80e010e07891a6e882432b47ddc5e64a354158fb23a3d3b3a66323c36
    • Opcode Fuzzy Hash: 99a35cc7b919dcb22f7f7deb227e25f30b5d3c18b92ff66c1c82086e691d65ae
    • Instruction Fuzzy Hash: 64A18F302143419BCB14EF25C9A2B6AB3E9BFD5314F14896CB8A65B3D2DB34ED09CB51
    Function 009BA844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
    Download Yara Rule
    APIs
    • GetClassNameW.USER32(?,?,00000100), ref: 009BA885
    • __swprintf.LIBCMT ref: 009BA926
    • _wcscmp.LIBCMT ref: 009BA939
    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009BA98E
    • _wcscmp.LIBCMT ref: 009BA9CA
    • GetClassNameW.USER32(?,?,00000400), ref: 009BAA01
    • GetDlgCtrlID.USER32(?), ref: 009BAA53
    • GetWindowRect.USER32(?,?), ref: 009BAA89
    • GetParent.USER32(?), ref: 009BAAA7
    • ScreenToClient.USER32(00000000), ref: 009BAAAE
    • GetClassNameW.USER32(?,?,00000100), ref: 009BAB28
    • _wcscmp.LIBCMT ref: 009BAB3C
    • GetWindowTextW.USER32(?,?,00000400), ref: 009BAB62
    • _wcscmp.LIBCMT ref: 009BAB76
      • Part of subcall function 009837AC: _iswctype.LIBCMT ref: 009837B4
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
    • String ID: %s%u
    • API String ID: 3744389584-679674701
    • Opcode ID: 1a67387762691cee0653e09ab84236831ef08ebfc8cf92e26f623daee5a34684
    • Instruction ID: c5f332a2546d5733565131c74db7612c67ea3632176cc62fbcecc48cbba5c356
    • Opcode Fuzzy Hash: 1a67387762691cee0653e09ab84236831ef08ebfc8cf92e26f623daee5a34684
    • Instruction Fuzzy Hash: CEA1BF71204256AFD714DF24CA84FEAB7EDFF44324F108629F9A9C2191DB30E945CBA2
    Function 009BB196 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
    Download Yara Rule
    APIs
    • GetClassNameW.USER32(00000008,?,00000400), ref: 009BB1DA
    • _wcscmp.LIBCMT ref: 009BB1EB
    • GetWindowTextW.USER32(00000001,?,00000400), ref: 009BB213
    • CharUpperBuffW.USER32(?,00000000), ref: 009BB230
    • _wcscmp.LIBCMT ref: 009BB24E
    • _wcsstr.LIBCMT ref: 009BB25F
    • GetClassNameW.USER32(00000018,?,00000400), ref: 009BB297
    • _wcscmp.LIBCMT ref: 009BB2A7
    • GetWindowTextW.USER32(00000002,?,00000400), ref: 009BB2CE
    • GetClassNameW.USER32(00000018,?,00000400), ref: 009BB317
    • _wcscmp.LIBCMT ref: 009BB327
    • GetClassNameW.USER32(00000010,?,00000400), ref: 009BB34F
    • GetWindowRect.USER32(00000004,?), ref: 009BB3B8
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
    • String ID: @$ThumbnailClass
    • API String ID: 1788623398-1539354611
    • Opcode ID: d8286a44a2efe3ebd736adbf6bf89e183582f2122ed7bf702e75fdcd6685212b
    • Instruction ID: 0ec80c1f609cba44ecb1d75ed430908333c7e53bd52534e01a8ba7c84e03c84a
    • Opcode Fuzzy Hash: d8286a44a2efe3ebd736adbf6bf89e183582f2122ed7bf702e75fdcd6685212b
    • Instruction Fuzzy Hash: BC81807100824A9BDB01DF14CA95FAA7BDCFF84724F04856AFD858A0E2DBB4DD45CB61
    Function 009BAFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: __wcsnicmp
    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
    • API String ID: 1038674560-1810252412
    • Opcode ID: d262df964f227e4eadd922aa44506fcbca9b18bfdb4df6283351a64467c7fd04
    • Instruction ID: eacb6133dbbe6a6d115f01928c7be6c1b5b570bab318d31dd43cd22eccecbbfe
    • Opcode Fuzzy Hash: d262df964f227e4eadd922aa44506fcbca9b18bfdb4df6283351a64467c7fd04
    • Instruction Fuzzy Hash: D9312F31A48209BADA24FAA0CE53FFF7778AF50B60F600915F451711D6EF926F448651
    Function 009BC2C0 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
    Download Yara Rule
    APIs
    • LoadIconW.USER32(00000063), ref: 009BC2D3
    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009BC2E5
    • SetWindowTextW.USER32(?,?), ref: 009BC2FC
    • GetDlgItem.USER32(?,000003EA), ref: 009BC311
    • SetWindowTextW.USER32(00000000,?), ref: 009BC317
    • GetDlgItem.USER32(?,000003E9), ref: 009BC327
    • SetWindowTextW.USER32(00000000,?), ref: 009BC32D
    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 009BC34E
    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 009BC368
    • GetWindowRect.USER32(?,?), ref: 009BC371
    • SetWindowTextW.USER32(?,?), ref: 009BC3DC
    • GetDesktopWindow.USER32 ref: 009BC3E2
    • GetWindowRect.USER32(00000000), ref: 009BC3E9
    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 009BC435
    • GetClientRect.USER32(?,?), ref: 009BC442
    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 009BC467
    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 009BC492
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
    • String ID:
    • API String ID: 3869813825-0
    • Opcode ID: 41ef9bca52870ac6a21ed17bf5e676b2cbfd0b630121616d91fbfc13cc8fdc51
    • Instruction ID: bc65f0543d48ab269533397105c2f5895836db7e077031ec66260b9208a5f779
    • Opcode Fuzzy Hash: 41ef9bca52870ac6a21ed17bf5e676b2cbfd0b630121616d91fbfc13cc8fdc51
    • Instruction Fuzzy Hash: 7E518F70900709EFDB20DFA8DE85BAEBBF9FF04714F004529E586A65A0C775AD04DB50
    Function 009D5113 Relevance: 25.6, APIs: 17, Instructions: 110COMMON
    Download Yara Rule
    APIs
    • LoadCursorW.USER32(00000000,00007F8A), ref: 009D5129
    • LoadCursorW.USER32(00000000,00007F00), ref: 009D5134
    • LoadCursorW.USER32(00000000,00007F03), ref: 009D513F
    • LoadCursorW.USER32(00000000,00007F8B), ref: 009D514A
    • LoadCursorW.USER32(00000000,00007F01), ref: 009D5155
    • LoadCursorW.USER32(00000000,00007F81), ref: 009D5160
    • LoadCursorW.USER32(00000000,00007F88), ref: 009D516B
    • LoadCursorW.USER32(00000000,00007F80), ref: 009D5176
    • LoadCursorW.USER32(00000000,00007F86), ref: 009D5181
    • LoadCursorW.USER32(00000000,00007F83), ref: 009D518C
    • LoadCursorW.USER32(00000000,00007F85), ref: 009D5197
    • LoadCursorW.USER32(00000000,00007F82), ref: 009D51A2
    • LoadCursorW.USER32(00000000,00007F84), ref: 009D51AD
    • LoadCursorW.USER32(00000000,00007F04), ref: 009D51B8
    • LoadCursorW.USER32(00000000,00007F02), ref: 009D51C3
    • LoadCursorW.USER32(00000000,00007F89), ref: 009D51CE
    • GetCursorInfo.USER32(?), ref: 009D51DE
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Cursor$Load$Info
    • String ID:
    • API String ID: 2577412497-0
    • Opcode ID: 677e11c7b63a391ba96a549571fefcec7e945d1715e062e6eeb52265d43f89aa
    • Instruction ID: 51aabe2e71bb3d85179e634133a9da655baa1935d8e998e1e03c918390b301c4
    • Opcode Fuzzy Hash: 677e11c7b63a391ba96a549571fefcec7e945d1715e062e6eeb52265d43f89aa
    • Instruction Fuzzy Hash: C731F2B0D483196ADB209FB68C8996EBEECFF04750F50452BE51DE7280DA78A5048FA1
    Function 009EA1EB Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 009EA28B
    • DestroyWindow.USER32(00000000,?), ref: 009EA305
      • Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66
    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009EA37F
    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009EA3A1
    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009EA3B4
    • DestroyWindow.USER32(00000000), ref: 009EA3D6
    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00960000,00000000), ref: 009EA40D
    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009EA426
    • GetDesktopWindow.USER32 ref: 009EA43F
    • GetWindowRect.USER32(00000000), ref: 009EA446
    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009EA45E
    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009EA476
      • Part of subcall function 009625DB: GetWindowLongW.USER32(?,000000EB), ref: 009625EC
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
    • String ID: 0$tooltips_class32
    • API String ID: 1297703922-3619404913
    • Opcode ID: 2ac37c5c22c1409abee7a8fdcb31588c5e7fa58c8380f72aa8f4c57f50a0364e
    • Instruction ID: 9202d239f04da3f3ade2743589be9cea561e3ed5ca0852699bd5f4b11e07f74b
    • Opcode Fuzzy Hash: 2ac37c5c22c1409abee7a8fdcb31588c5e7fa58c8380f72aa8f4c57f50a0364e
    • Instruction Fuzzy Hash: 95717870554284AFD721DF28CC48F6677EAFB88704F04492DF9868B2B1D7B4AD06DB22
    Function 009EC668 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623
    • DragQueryPoint.SHELL32(?,?), ref: 009EC691
      • Part of subcall function 009EAB69: ClientToScreen.USER32(?,?), ref: 009EAB92
      • Part of subcall function 009EAB69: GetWindowRect.USER32(?,?), ref: 009EAC08
      • Part of subcall function 009EAB69: PtInRect.USER32(?,?,009EC07E), ref: 009EAC18
    • SendMessageW.USER32(?,000000B0,?,?), ref: 009EC6FA
    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009EC705
    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009EC728
    • _wcscat.LIBCMT ref: 009EC758
    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 009EC76F
    • SendMessageW.USER32(?,000000B0,?,?), ref: 009EC788
    • SendMessageW.USER32(?,000000B1,?,?), ref: 009EC79F
    • SendMessageW.USER32(?,000000B1,?,?), ref: 009EC7C1
    • DragFinish.SHELL32(?), ref: 009EC7C8
    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 009EC8BB
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
    • API String ID: 169749273-3440237614
    • Opcode ID: 7841e84ab4f29cb802800d39a0ea88f35ea7f80735d8262c6e53ef43db4d15c1
    • Instruction ID: a2fa3ecb1f550bb8cd9a4fc2c7389acfacd42be345faf17caaf315979161e3d7
    • Opcode Fuzzy Hash: 7841e84ab4f29cb802800d39a0ea88f35ea7f80735d8262c6e53ef43db4d15c1
    • Instruction Fuzzy Hash: DF616A71508341AFC701EFA5DC95EABBBE8FFC8710F00092EF591961A1DB709A49CB92
    Function 009C7DC3 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
    Download Yara Rule
    APIs
    • VariantInit.OLEAUT32(00000000), ref: 009C7E08
    • VariantCopy.OLEAUT32(00000000,?), ref: 009C7E11
    • VariantClear.OLEAUT32(00000000), ref: 009C7E1D
    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009C7F0B
    • __swprintf.LIBCMT ref: 009C7F3B
    • VarR8FromDec.OLEAUT32(?,?), ref: 009C7F67
    • VariantInit.OLEAUT32(?), ref: 009C8018
    • SysFreeString.OLEAUT32(00000016), ref: 009C80AC
    • VariantClear.OLEAUT32(?), ref: 009C8106
    • VariantClear.OLEAUT32(?), ref: 009C8115
    • VariantInit.OLEAUT32(00000000), ref: 009C8153
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
    • String ID: %4d%02d%02d%02d%02d%02d$Default
    • API String ID: 3730832054-3931177956
    • Opcode ID: f6c623ad6084dc5c869e046aa55edb155423b8341830e1ce7e1b3c68f2d6c62f
    • Instruction ID: d976313df7b84861dc806b0da93a96d7259a67d45c10a31637a45a709822e3b8
    • Opcode Fuzzy Hash: f6c623ad6084dc5c869e046aa55edb155423b8341830e1ce7e1b3c68f2d6c62f
    • Instruction Fuzzy Hash: CCD1B332E08515EBDB209FA5D888F6AF7B8BF44710F24849EE4059B2A1DB34DC44DF62
    Function 009E43FB Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
    Download Yara Rule
    APIs
    • CharUpperBuffW.USER32(?,?), ref: 009E448D
    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009E44D8
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: BuffCharMessageSendUpper
    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
    • API String ID: 3974292440-4258414348
    • Opcode ID: 6405197798689b2f6a7a3524dfcf92ab67a604b63238d14881746a15c618f550
    • Instruction ID: 6d0e31a03689766ef5a7d31646657cb1d6228584f793eb5ed7bbb312a3d15cb3
    • Opcode Fuzzy Hash: 6405197798689b2f6a7a3524dfcf92ab67a604b63238d14881746a15c618f550
    • Instruction Fuzzy Hash: 4091AF302047419FCB15EF11C9A1BAAB7E5AFD4714F04886CF8965B3A2DB34ED4ACB81
    Function 009EB832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
    Download Yara Rule
    APIs
    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009EB8E8
    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009E91F4), ref: 009EB944
    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009EB97D
    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009EB9C0
    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009EB9F7
    • FreeLibrary.KERNEL32(?), ref: 009EBA03
    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009EBA13
    • DestroyIcon.USER32(?,?,?,?,?,009E91F4), ref: 009EBA22
    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009EBA3F
    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009EBA4B
      • Part of subcall function 0098307D: __wcsicmp_l.LIBCMT ref: 00983106
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
    • String ID: .dll$.exe$.icl
    • API String ID: 1212759294-1154884017
    • Opcode ID: 3a1685567f73151e138fadf2c95bf147465f3fba0d2479d6fad340f7c369e46a
    • Instruction ID: 47b651dc8177679a1d25667b8990e7d051951b4c6005a11039a447bf5e307000
    • Opcode Fuzzy Hash: 3a1685567f73151e138fadf2c95bf147465f3fba0d2479d6fad340f7c369e46a
    • Instruction Fuzzy Hash: F961DD71500649BAEB15DF65CC81BBF77ACFB08710F108126F915DA1D1DB75AE80DBA0
    Function 009CDCA6 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
    Download Yara Rule
    APIs
    • GetLocalTime.KERNEL32(?), ref: 009CDD68
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 009CDD78
    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009CDD84
    • __wsplitpath.LIBCMT ref: 009CDDE2
    • _wcscat.LIBCMT ref: 009CDDFA
    • _wcscat.LIBCMT ref: 009CDE0C
    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009CDE21
    • SetCurrentDirectoryW.KERNEL32(?), ref: 009CDE35
    • SetCurrentDirectoryW.KERNEL32(?), ref: 009CDE67
    • SetCurrentDirectoryW.KERNEL32(?), ref: 009CDE88
    • _wcscpy.LIBCMT ref: 009CDE94
    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009CDED3
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
    • String ID: *.*
    • API String ID: 3566783562-438819550
    • Opcode ID: 04ba54c1136ea136a83dcb96f2d73d356615ad4b952882d7fe4f245bc6c6a589
    • Instruction ID: 8b27171ffc54497ab97c04c092a7212702967ef0add0ef1a67d18b55cea29ad2
    • Opcode Fuzzy Hash: 04ba54c1136ea136a83dcb96f2d73d356615ad4b952882d7fe4f245bc6c6a589
    • Instruction Fuzzy Hash: 796129769082459FCB10EF64C894EAEB3E8FF89310F04492EF99987251DB35E945CB92
    Function 009C9CC2 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
    Download Yara Rule
    APIs
    • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 009C9D09
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009C9D2A
    • __swprintf.LIBCMT ref: 009C9D83
    • __swprintf.LIBCMT ref: 009C9D9C
    • _wprintf.LIBCMT ref: 009C9E43
    • _wprintf.LIBCMT ref: 009C9E61
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: LoadString__swprintf_wprintf$_memmove
    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
    • API String ID: 311963372-3080491070
    • Opcode ID: 925ffad05cbb684abaa8d0b3f49e4c95a3f7e0b3cb58d18dff71fb7f8b038aa9
    • Instruction ID: 7f100dd31d2b2e0754f857a65f15e75fdd50e7636156372174a004abc61fea2a
    • Opcode Fuzzy Hash: 925ffad05cbb684abaa8d0b3f49e4c95a3f7e0b3cb58d18dff71fb7f8b038aa9
    • Instruction Fuzzy Hash: 84518C32D00609BACB25EBE4CD96FEEB778BF54300F104565B505720A2DB352F59DBA1
    Function 009CA3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
      • Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C
    • CharLowerBuffW.USER32(?,?), ref: 009CA455
    • GetDriveTypeW.KERNEL32 ref: 009CA4A2
    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CA4EA
    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CA521
    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CA54F
      • Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
    • API String ID: 2698844021-4113822522
    • Opcode ID: c4ceb26ab342eab77eba2dc6840632dc08dc87925ce6b630bdb6aff067e42148
    • Instruction ID: 8a1f469cab2450fc33b05dfa93611c1bc0d5f0b1234b79644bf430a86c216873
    • Opcode Fuzzy Hash: c4ceb26ab342eab77eba2dc6840632dc08dc87925ce6b630bdb6aff067e42148
    • Instruction Fuzzy Hash: 76514D715043049FC700EF24C991E6AB7E8FF98758F14896DF895972A1DB31EE09CB52
    Function 009BFBDB Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000002,?,0099E382,00000001,0000138C,00000001,00000002,00000001,?,00000000,00000002), ref: 009BFC10
    • LoadStringW.USER32(00000000,?,0099E382,00000001), ref: 009BFC19
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
    • GetModuleHandleW.KERNEL32(00000000,00A25310,?,00000FFF,?,?,0099E382,00000001,0000138C,00000001,00000002,00000001,?,00000000,00000002,00000001), ref: 009BFC3B
    • LoadStringW.USER32(00000000,?,0099E382,00000001), ref: 009BFC3E
    • __swprintf.LIBCMT ref: 009BFC8E
    • __swprintf.LIBCMT ref: 009BFC9F
    • _wprintf.LIBCMT ref: 009BFD48
    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 009BFD5F
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
    • API String ID: 984253442-2268648507
    • Opcode ID: da84dd13255f4dd316ee1a5d45e6420a9eec311b720bff005181d1d90cd6580b
    • Instruction ID: b8fc5c9345cb83f1569eee616bb1b52dd29d1b018d4c389169f55d1de4a6ed97
    • Opcode Fuzzy Hash: da84dd13255f4dd316ee1a5d45e6420a9eec311b720bff005181d1d90cd6580b
    • Instruction Fuzzy Hash: 6C413D7280420DAACF15FBE0CE96EEEB778AF98700F500565F505760A2DB356F59CBA0
    Function 009EBA67 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,009E9239,?,?), ref: 009EBA8A
    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,009E9239,?,?,00000000,?), ref: 009EBAA1
    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,009E9239,?,?,00000000,?), ref: 009EBAAC
    • CloseHandle.KERNEL32(00000000,?,?,?,?,009E9239,?,?,00000000,?), ref: 009EBAB9
    • GlobalLock.KERNEL32(00000000), ref: 009EBAC2
    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,009E9239,?,?,00000000,?), ref: 009EBAD1
    • GlobalUnlock.KERNEL32(00000000), ref: 009EBADA
    • CloseHandle.KERNEL32(00000000,?,?,?,?,009E9239,?,?,00000000,?), ref: 009EBAE1
    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,009E9239,?,?,00000000,?), ref: 009EBAF2
    • OleLoadPicture.OLEAUT32(?,00000000,00000000,009F2CAC,?), ref: 009EBB0B
    • GlobalFree.KERNEL32(00000000), ref: 009EBB1B
    • GetObjectW.GDI32(00000000,00000018,?), ref: 009EBB3F
    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 009EBB6A
    • DeleteObject.GDI32(00000000), ref: 009EBB92
    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009EBBA8
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
    • String ID:
    • API String ID: 3840717409-0
    • Opcode ID: bff41f5b94a895b688111dcb23f9dfc9b424ffc88435b82d5f1e72e108f33ddb
    • Instruction ID: 701bfdc991a6194abc682f03a385f7d76ca7c7c001f18474ecc559d1fe0a10ae
    • Opcode Fuzzy Hash: bff41f5b94a895b688111dcb23f9dfc9b424ffc88435b82d5f1e72e108f33ddb
    • Instruction Fuzzy Hash: FE413975610249BFDB129F65DC98EAB7BBCEB89711F108069F909DB260D7309D00EB20
    Function 009CD925 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
    Download Yara Rule
    APIs
    • __wsplitpath.LIBCMT ref: 009CDA9C
    • _wcscat.LIBCMT ref: 009CDAB4
    • _wcscat.LIBCMT ref: 009CDAC6
    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009CDADB
    • SetCurrentDirectoryW.KERNEL32(?), ref: 009CDAEF
    • GetFileAttributesW.KERNEL32(?), ref: 009CDB07
    • SetFileAttributesW.KERNEL32(?,00000000), ref: 009CDB21
    • SetCurrentDirectoryW.KERNEL32(?), ref: 009CDB33
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
    • String ID: *.*
    • API String ID: 34673085-438819550
    • Opcode ID: beadaf501b7202fd16215200b5ba02735b3e1dc52bf5edb3cf496f6b07810a04
    • Instruction ID: f785dc3bf3579c042414b383d21d2f18b76a91d7a005e19994508f587f197a07
    • Opcode Fuzzy Hash: beadaf501b7202fd16215200b5ba02735b3e1dc52bf5edb3cf496f6b07810a04
    • Instruction Fuzzy Hash: F6814E729192419FCB24EF64C984E6AB7E8AB89314F184C3EF48ADB251D634ED44CB53
    Function 009EC216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623
    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009EC266
    • GetFocus.USER32 ref: 009EC276
    • GetDlgCtrlID.USER32(00000000), ref: 009EC281
    • _memset.LIBCMT ref: 009EC3AC
    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 009EC3D7
    • GetMenuItemCount.USER32(?), ref: 009EC3F7
    • GetMenuItemID.USER32(?,00000000), ref: 009EC40A
    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 009EC43E
    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 009EC486
    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009EC4BE
    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 009EC4F3
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
    • String ID: 0
    • API String ID: 1296962147-4108050209
    • Opcode ID: 16fe7918683eac91683e21b5a7e84a423c914623c3779bc5d5007b8ce8df6415
    • Instruction ID: 6803b597d18864b4febfeb2f4d06694eb1c93f090238dcc0c1cbb5b9e0978e14
    • Opcode Fuzzy Hash: 16fe7918683eac91683e21b5a7e84a423c914623c3779bc5d5007b8ce8df6415
    • Instruction Fuzzy Hash: 23818DB1608381AFD712DF15C894A7BBBE9FB88314F00492EF995972A1D730DC06DB92
    Function 009D742F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 009D74A4
    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 009D74B0
    • CreateCompatibleDC.GDI32(?), ref: 009D74BC
    • SelectObject.GDI32(00000000,?), ref: 009D74C9
    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 009D751D
    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 009D7559
    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 009D757D
    • SelectObject.GDI32(00000006,?), ref: 009D7585
    • DeleteObject.GDI32(?), ref: 009D758E
    • DeleteDC.GDI32(00000006), ref: 009D7595
    • ReleaseDC.USER32(00000000,?), ref: 009D75A0
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
    • String ID: (
    • API String ID: 2598888154-3887548279
    • Opcode ID: 23f540f08418eb79cc526e2c827840a6d6b724cadec3361cf65a519c3b00d1b4
    • Instruction ID: b993db8e38c90b0d7bc30b3fd35dd524309dbff25ac4e10719832c700198dd6d
    • Opcode Fuzzy Hash: 23f540f08418eb79cc526e2c827840a6d6b724cadec3361cf65a519c3b00d1b4
    • Instruction Fuzzy Hash: C5513871908249AFCB25CFA8DC85EAEBBB9EF48710F14C42EF94997320D731AD408B50
    Function 009C9ED4 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
    Download Yara Rule
    APIs
    • LoadStringW.USER32(00000066,?,00000FFF,009EFB78), ref: 009C9F1B
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
    • LoadStringW.USER32(?,?,00000FFF,?), ref: 009C9F3D
    • __swprintf.LIBCMT ref: 009C9F96
    • __swprintf.LIBCMT ref: 009C9FAF
    • _wprintf.LIBCMT ref: 009CA065
    • _wprintf.LIBCMT ref: 009CA083
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: LoadString__swprintf_wprintf$_memmove
    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
    • API String ID: 311963372-2391861430
    • Opcode ID: 51511e1de7d244bc6f7ebc41f40e0aa3114982d0dd669ea4fdeae97bb9da735e
    • Instruction ID: 910b9992264f40d632e32b6c78e39213923524f1662ffe4704ed1ceabc8e04aa
    • Opcode Fuzzy Hash: 51511e1de7d244bc6f7ebc41f40e0aa3114982d0dd669ea4fdeae97bb9da735e
    • Instruction Fuzzy Hash: 0C517932C00209BBCB25EBE0CD96FEEB778AF48344F104165F505621A2EB316F59DBA1
    Function 009C91FE Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009C9008: __time64.LIBCMT ref: 009C9012
      • Part of subcall function 00965045: _fseek.LIBCMT ref: 0096505D
    • __wsplitpath.LIBCMT ref: 009C92DD
      • Part of subcall function 0098426E: __wsplitpath_helper.LIBCMT ref: 009842AE
    • _wcscpy.LIBCMT ref: 009C92F0
    • _wcscat.LIBCMT ref: 009C9303
    • __wsplitpath.LIBCMT ref: 009C9328
    • _wcscat.LIBCMT ref: 009C933E
    • _wcscat.LIBCMT ref: 009C9351
      • Part of subcall function 009C904E: _memmove.LIBCMT ref: 009C9087
      • Part of subcall function 009C904E: _memmove.LIBCMT ref: 009C9096
    • _wcscmp.LIBCMT ref: 009C9298
      • Part of subcall function 009C97DD: _wcscmp.LIBCMT ref: 009C98CD
      • Part of subcall function 009C97DD: _wcscmp.LIBCMT ref: 009C98E0
    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009C94FB
    • _wcsncpy.LIBCMT ref: 009C956E
    • DeleteFileW.KERNEL32(?,?), ref: 009C95A4
    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009C95BA
    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C95CB
    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009C95DD
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
    • String ID:
    • API String ID: 1500180987-0
    • Opcode ID: 83e87bc0d9bd49734c3c80b469dc3654be9a7f6e658139ea0c76d7463a5acd0d
    • Instruction ID: 620fa97989997f0d7755addfef96c267dd4fa3121eec948247b62a312260c44c
    • Opcode Fuzzy Hash: 83e87bc0d9bd49734c3c80b469dc3654be9a7f6e658139ea0c76d7463a5acd0d
    • Instruction Fuzzy Hash: 78C12AB1D00229AADF21DF95CD85FDEB7BDEF85310F0040AAF609E6251EB709A448F65
    Function 00966BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00980AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00966C6C,?,00008000), ref: 00980AF3
      • Part of subcall function 009648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009648A1,?,?,009637C0,?), ref: 009648CE
    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00966D0D
    • SetCurrentDirectoryW.KERNEL32(?), ref: 00966E5A
      • Part of subcall function 009659CD: _wcscpy.LIBCMT ref: 00965A05
      • Part of subcall function 009837BD: _iswctype.LIBCMT ref: 009837C5
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
    • API String ID: 537147316-1018226102
    • Opcode ID: 5f7a7dc0e344477bae72337513a3507d2e6ad11ac2b90e7cd3b538cb5ec8340c
    • Instruction ID: 20541c16eb27a007325ba8ff330c16fa7297d91b2d08c5e1d567696dff59d91b
    • Opcode Fuzzy Hash: 5f7a7dc0e344477bae72337513a3507d2e6ad11ac2b90e7cd3b538cb5ec8340c
    • Instruction Fuzzy Hash: 86029B315083419FCB24EF64C891AAFBBE9BFD9314F04491DF49A972A1DB31D949CB42
    Function 009645DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 009645F9
    • GetMenuItemCount.USER32(00A25890), ref: 0099D6FD
    • GetMenuItemCount.USER32(00A25890), ref: 0099D7AD
    • GetCursorPos.USER32(?), ref: 0099D7F1
    • SetForegroundWindow.USER32(00000000), ref: 0099D7FA
    • TrackPopupMenuEx.USER32(00A25890,00000000,?,00000000,00000000,00000000), ref: 0099D80D
    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0099D819
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
    • String ID:
    • API String ID: 2751501086-0
    • Opcode ID: 11701373dfdd6e1a99be46ce1590012892909da7fd6108a8904b5424a4bf719d
    • Instruction ID: 19a5e4d48623e34db99de7375826213b32a7af16560853020c2aa846595d3288
    • Opcode Fuzzy Hash: 11701373dfdd6e1a99be46ce1590012892909da7fd6108a8904b5424a4bf719d
    • Instruction Fuzzy Hash: 76711570605249BFEF209FA8DC89FAABF68FF45364F100216F518AA1E0CBB55C10DB50
    Function 009E0EA5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DFE38,?,?), ref: 009E0EBC
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: BuffCharUpper
    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
    • API String ID: 3964851224-909552448
    • Opcode ID: e8aac5419aa7e6e5933146e9730cf8130142178a27dd66bf3f131a5b85463fbc
    • Instruction ID: 9b17a5306334080cd3e270484ebbeaa9b288eb8e45db15c7f73162ad7cad9cca
    • Opcode Fuzzy Hash: e8aac5419aa7e6e5933146e9730cf8130142178a27dd66bf3f131a5b85463fbc
    • Instruction Fuzzy Hash: A1418E3010028A8BCF21EF51D8E1AEF3725FFA5310F544869FCA15B292DB759D9ACB60
    Function 009BFAD2 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0099E5F9,00000010,?,Bad directive syntax error,009EF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 009BFAF3
    • LoadStringW.USER32(00000000,?,0099E5F9,00000010), ref: 009BFAFA
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
    • _wprintf.LIBCMT ref: 009BFB2D
    • __swprintf.LIBCMT ref: 009BFB4F
    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009BFBBE
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
    • API String ID: 1506413516-4153970271
    • Opcode ID: 4173fe936f510e27936b79accf738de44287e1ca1e13cbd1642beb8dcd702484
    • Instruction ID: b26600ac575560e9c3d36ea9267d7c55c291b9b9678fcb5914a81a3c8b91c6e6
    • Opcode Fuzzy Hash: 4173fe936f510e27936b79accf738de44287e1ca1e13cbd1642beb8dcd702484
    • Instruction Fuzzy Hash: 9F21623280421EFBCF22EF90CC66FEE7739BF14704F044866F515660A2DA759A68DB50
    Function 009C536E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66
      • Part of subcall function 00967A84: _memmove.LIBCMT ref: 00967B0D
    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009C53D7
    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009C53ED
    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009C53FE
    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009C5410
    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009C5421
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: SendString$_memmove
    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
    • API String ID: 2279737902-1007645807
    • Opcode ID: f146601b3bb4e5b6aeeab32469ce1464c38ba945ad49522d4b0b3cb73846d415
    • Instruction ID: 1a8a054c4771aa2901fe7e5ab6a9528e58e8a0680e7ea517b52143ac0ced3880
    • Opcode Fuzzy Hash: f146601b3bb4e5b6aeeab32469ce1464c38ba945ad49522d4b0b3cb73846d415
    • Instruction Fuzzy Hash: 11119121E5016979D724F7A1CC9AEFFBB7CFBD5B44F400829B411A20E1DEA01D85C5A1
    Function 009C46F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
    • String ID: 0.0.0.0
    • API String ID: 208665112-3771769585
    • Opcode ID: c13b15c0fb4a436b11ecb348c6de4b167b2e48d82c3864a14b1075df626cbb13
    • Instruction ID: 1ee74eb722666006c8567422747bf3bf7640593d9404995854eed9a3d19046ce
    • Opcode Fuzzy Hash: c13b15c0fb4a436b11ecb348c6de4b167b2e48d82c3864a14b1075df626cbb13
    • Instruction Fuzzy Hash: 26112731A081146FCB20B720DC9AFDA77BCDF82710F0101BAF50596191EF759E818761
    Function 009C501C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
    Download Yara Rule
    APIs
    • timeGetTime.WINMM ref: 009C5021
      • Part of subcall function 0098034A: timeGetTime.WINMM(?,7707B400,00970FDB), ref: 0098034E
    • Sleep.KERNEL32(0000000A), ref: 009C504D
    • EnumThreadWindows.USER32(?,Function_00064FCF,00000000), ref: 009C5071
    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 009C5093
    • SetActiveWindow.USER32 ref: 009C50B2
    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009C50C0
    • SendMessageW.USER32(00000010,00000000,00000000), ref: 009C50DF
    • Sleep.KERNEL32(000000FA), ref: 009C50EA
    • IsWindow.USER32 ref: 009C50F6
    • EndDialog.USER32(00000000), ref: 009C5107
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
    • String ID: BUTTON
    • API String ID: 1194449130-3405671355
    • Opcode ID: e35696ad3fd6baaa293438d8c279ce87765d71ccbb817541ff815aeafe864b12
    • Instruction ID: 1d99e257e567a7fccff800ac04e43ef6c521361fa3849989ba5899b12f33d222
    • Opcode Fuzzy Hash: e35696ad3fd6baaa293438d8c279ce87765d71ccbb817541ff815aeafe864b12
    • Instruction Fuzzy Hash: 03218070619A44AFE7209FA4ECD9F353B69E784789B05103DF406851B1DB319D829B62
    Function 009CD619 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
      • Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C
    • CoInitialize.OLE32(00000000), ref: 009CD676
    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009CD709
    • SHGetDesktopFolder.SHELL32(?), ref: 009CD71D
    • CoCreateInstance.OLE32(009F2D7C,00000000,00000001,00A18C1C,?), ref: 009CD769
    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009CD7D8
    • CoTaskMemFree.OLE32(?,?), ref: 009CD830
    • _memset.LIBCMT ref: 009CD86D
    • SHBrowseForFolderW.SHELL32(?), ref: 009CD8A9
    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009CD8CC
    • CoTaskMemFree.OLE32(00000000), ref: 009CD8D3
    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 009CD90A
    • CoUninitialize.OLE32(00000001,00000000), ref: 009CD90C
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
    • String ID:
    • API String ID: 1246142700-0
    • Opcode ID: caf1b0d0f5406e3db09f5dac18aa46582f9c9054320dafcfca2d69feef3c8960
    • Instruction ID: 1c8f07a3d7c9cbeeadc9ffdcdf002873cbc279689b1e366185c88cf6e526f0b7
    • Opcode Fuzzy Hash: caf1b0d0f5406e3db09f5dac18aa46582f9c9054320dafcfca2d69feef3c8960
    • Instruction Fuzzy Hash: B2B1FF75A00109AFDB14DFA4C898EAEBBF9FF88314B148469F509DB261DB30ED45CB51
    Function 009C034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyboardState.USER32(?), ref: 009C03C8
    • SetKeyboardState.USER32(?), ref: 009C0433
    • GetAsyncKeyState.USER32(000000A0), ref: 009C0453
    • GetKeyState.USER32(000000A0), ref: 009C046A
    • GetAsyncKeyState.USER32(000000A1), ref: 009C0499
    • GetKeyState.USER32(000000A1), ref: 009C04AA
    • GetAsyncKeyState.USER32(00000011), ref: 009C04D6
    • GetKeyState.USER32(00000011), ref: 009C04E4
    • GetAsyncKeyState.USER32(00000012), ref: 009C050D
    • GetKeyState.USER32(00000012), ref: 009C051B
    • GetAsyncKeyState.USER32(0000005B), ref: 009C0544
    • GetKeyState.USER32(0000005B), ref: 009C0552
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: State$Async$Keyboard
    • String ID:
    • API String ID: 541375521-0
    • Opcode ID: c32f7c61aa766c2008ff07c73d82a1ea341a5e0a11955970a87150e7d9cd1bb7
    • Instruction ID: 0c67df0945ebf368d4fa2bfeed0ddcfb451a54a09e64dd7a62df9288aca0d8ff
    • Opcode Fuzzy Hash: c32f7c61aa766c2008ff07c73d82a1ea341a5e0a11955970a87150e7d9cd1bb7
    • Instruction Fuzzy Hash: 4251BB20D087C49AFB35DBA58411FAEBFB85F81340F48459E95C2561C3DA649B4CCB63
    Function 009BC529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,00000001), ref: 009BC545
    • GetWindowRect.USER32(00000000,?), ref: 009BC557
    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 009BC5B5
    • GetDlgItem.USER32(?,00000002), ref: 009BC5C0
    • GetWindowRect.USER32(00000000,?), ref: 009BC5D2
    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 009BC626
    • GetDlgItem.USER32(?,000003E9), ref: 009BC634
    • GetWindowRect.USER32(00000000,?), ref: 009BC645
    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 009BC688
    • GetDlgItem.USER32(?,000003EA), ref: 009BC696
    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009BC6B3
    • InvalidateRect.USER32(?,00000000,00000001), ref: 009BC6C0
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$ItemMoveRect$Invalidate
    • String ID:
    • API String ID: 3096461208-0
    • Opcode ID: ea2fe696ed8f01f2cb743a5a4a388c2dbf43328dd7907243088bbf017eb0e257
    • Instruction ID: 1465aa4abc6957f84477f6ca571b3443b438ba6f1a1d203bb0426e298e2bcf33
    • Opcode Fuzzy Hash: ea2fe696ed8f01f2cb743a5a4a388c2dbf43328dd7907243088bbf017eb0e257
    • Instruction Fuzzy Hash: 6B5163B1B10205AFDF18CFA9DD99EAEBBBAEB88710F14812DF515D7290D7B09D008B50
    Function 0096201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00961B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00962036,?,00000000,?,?,?,?,009616CB,00000000,?), ref: 00961B9A
    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009620D3
    • KillTimer.USER32(-00000001,?,?,?,?,009616CB,00000000,?,?,00961AE2,?,?), ref: 0096216E
    • DestroyAcceleratorTable.USER32(00000000), ref: 0099BE26
    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009616CB,00000000,?,?,00961AE2,?,?), ref: 0099BE57
    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009616CB,00000000,?,?,00961AE2,?,?), ref: 0099BE6E
    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009616CB,00000000,?,?,00961AE2,?,?), ref: 0099BE8A
    • DeleteObject.GDI32(00000000), ref: 0099BE9C
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
    • String ID:
    • API String ID: 641708696-0
    • Opcode ID: 2fd5ebd298215055b849dacd886caede42e66717d59eb696f5cbd3178f713b6e
    • Instruction ID: b72d9392bb6e93efa95ab994fc3dc6f261a4fee4b95b29d601882204131f2686
    • Opcode Fuzzy Hash: 2fd5ebd298215055b849dacd886caede42e66717d59eb696f5cbd3178f713b6e
    • Instruction Fuzzy Hash: D5618D31919A50EFCB35DF68D948B3977F5FB40312F108829E5429A960C779AC92EF90
    Function 009621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009625DB: GetWindowLongW.USER32(?,000000EB), ref: 009625EC
    • GetSysColor.USER32(0000000F), ref: 009621D3
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ColorLongWindow
    • String ID:
    • API String ID: 259745315-0
    • Opcode ID: ff4a7a0537e51159a749cc2c21da024ed6632a3914b74d8990ecf2c24a3738af
    • Instruction ID: cd7835b380cd2c8fb9d4442fde7921df46dc0f74d2c43f77893338b05a4c537d
    • Opcode Fuzzy Hash: ff4a7a0537e51159a749cc2c21da024ed6632a3914b74d8990ecf2c24a3738af
    • Instruction Fuzzy Hash: EB419F31009944DBDF295F28ECA8BB93B69EB46731F148266FD658E1E1C7318D42EB21
    Function 009CA931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
    Download Yara Rule
    APIs
    • CharLowerBuffW.USER32(?,?,009EF910), ref: 009CA995
    • GetDriveTypeW.KERNEL32(00000061,00A189A0,00000061), ref: 009CAA5F
    • _wcscpy.LIBCMT ref: 009CAA89
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: BuffCharDriveLowerType_wcscpy
    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
    • API String ID: 2820617543-1000479233
    • Opcode ID: 76124d9ef9c3587beb8d486ece865288ecd2d562b80571720b9f7ab27d037319
    • Instruction ID: c4efebd612e24976d27f8e57fe679ee50c2cfe4d32f9b2a33700f7f359069780
    • Opcode Fuzzy Hash: 76124d9ef9c3587beb8d486ece865288ecd2d562b80571720b9f7ab27d037319
    • Instruction Fuzzy Hash: 8551BB305083059BC710EF14C9D2FAAB7AAEFD4308F14482DF4A65B2A2DB309D49CB53
    Function 00969997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: __i64tow__itow__swprintf
    • String ID: %.15g$0x%p$False$True
    • API String ID: 421087845-2263619337
    • Opcode ID: a85e8819d6e8dff0d7350d24ad311a54328281f97fa6b6d03ca3824f1f25f4a3
    • Instruction ID: 8b02735cba9f2f6fd25464c1aa5a98ddf25a0ddb2d6bf7d3eae52697192c6539
    • Opcode Fuzzy Hash: a85e8819d6e8dff0d7350d24ad311a54328281f97fa6b6d03ca3824f1f25f4a3
    • Instruction Fuzzy Hash: 4841D431504205AEDF24AB78D842F7AB3ECEF84310F2088AEE54AD7291EA359941C711
    Function 009E7184 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 009E719C
    • CreateMenu.USER32 ref: 009E71B7
    • SetMenu.USER32(?,00000000), ref: 009E71C6
    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E7253
    • IsMenu.USER32(?), ref: 009E7269
    • CreatePopupMenu.USER32 ref: 009E7273
    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009E72A0
    • DrawMenuBar.USER32 ref: 009E72A8
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
    • String ID: 0$F
    • API String ID: 176399719-3044882817
    • Opcode ID: 59e4b4f3c25852812ad8d03eef6a9d5cd8e03d2eb4c44a03e99d4bf5ba5773e3
    • Instruction ID: f31f2624a255bc5cf2cf194ead343eca396e483b2a14f460d6cab41684ed5195
    • Opcode Fuzzy Hash: 59e4b4f3c25852812ad8d03eef6a9d5cd8e03d2eb4c44a03e99d4bf5ba5773e3
    • Instruction Fuzzy Hash: 90416974A04245EFDB21DFA5D884AAABBF9FF49300F144129FA15A7360DB31AD10DFA1
    Function 009E74ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
    Download Yara Rule
    APIs
    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009E7590
    • CreateCompatibleDC.GDI32(00000000), ref: 009E7597
    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009E75AA
    • SelectObject.GDI32(00000000,00000000), ref: 009E75B2
    • GetPixel.GDI32(00000000,00000000,00000000), ref: 009E75BD
    • DeleteDC.GDI32(00000000), ref: 009E75C6
    • GetWindowLongW.USER32(?,000000EC), ref: 009E75D0
    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 009E75E4
    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 009E75F0
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
    • String ID: static
    • API String ID: 2559357485-2160076837
    • Opcode ID: 58e252746536409b3989807a0cf7ff7c2393abacf231ec2bd5cf839463a6cfa1
    • Instruction ID: 7dac0b06484cf57d8579a3e4de2cbf469a3709e3961164295d4a1ab811cb93b1
    • Opcode Fuzzy Hash: 58e252746536409b3989807a0cf7ff7c2393abacf231ec2bd5cf839463a6cfa1
    • Instruction Fuzzy Hash: 6F318D32118299BBDF129FA5DC48FEB3B69FF09721F100225FA15A60A0CB31DC11EB60
    Function 00986F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 00986FBB
      • Part of subcall function 00988CA8: __getptd_noexit.LIBCMT ref: 00988CA8
    • __gmtime64_s.LIBCMT ref: 00987054
    • __gmtime64_s.LIBCMT ref: 0098708A
    • __gmtime64_s.LIBCMT ref: 009870A7
    • __allrem.LIBCMT ref: 009870FD
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00987119
    • __allrem.LIBCMT ref: 00987130
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0098714E
    • __allrem.LIBCMT ref: 00987165
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00987183
    • __invoke_watson.LIBCMT ref: 009871F4
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
    • String ID:
    • API String ID: 384356119-0
    • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
    • Instruction ID: 1e15b4ea536bc93ee71804a01e992659b88a28b89fc950e232d36233311e69f6
    • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
    • Instruction Fuzzy Hash: 3771E972A04716ABEB14BEBDDC81F6AF3A8AF54324F244239F514DB781E774E9408790
    Function 009C281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 009C283A
    • GetMenuItemInfoW.USER32(00A25890,000000FF,00000000,00000030), ref: 009C289B
    • SetMenuItemInfoW.USER32(00A25890,00000004,00000000,00000030), ref: 009C28D1
    • Sleep.KERNEL32(000001F4), ref: 009C28E3
    • GetMenuItemCount.USER32(?), ref: 009C2927
    • GetMenuItemID.USER32(?,00000000), ref: 009C2943
    • GetMenuItemID.USER32(?,-00000001), ref: 009C296D
    • GetMenuItemID.USER32(?,?), ref: 009C29B2
    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009C29F8
    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C2A0C
    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C2A2D
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
    • String ID:
    • API String ID: 4176008265-0
    • Opcode ID: 79e946615f5bfa9763cc63444859c181661e49f63180be5ef2bcf3109447ca94
    • Instruction ID: 3ad7f38d223e973a5dd438c84c4c392ed7f67934b94142dfcc2bd1f0e038bdf4
    • Opcode Fuzzy Hash: 79e946615f5bfa9763cc63444859c181661e49f63180be5ef2bcf3109447ca94
    • Instruction Fuzzy Hash: E2618F70D14249AFDB21CFA4C988FBE7BB9EB45304F14046DF842A7291DB31AD06DB22
    Function 009E6F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009E6FD7
    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009E6FDA
    • GetWindowLongW.USER32(?,000000F0), ref: 009E6FFE
    • _memset.LIBCMT ref: 009E700F
    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009E7021
    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009E7099
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$LongWindow_memset
    • String ID:
    • API String ID: 830647256-0
    • Opcode ID: 5ed91e07e0839688613360d8c824f7dba3c2e78ba33f32e74494f403ed37fe67
    • Instruction ID: 9ffeac78631651e04bbdc2c6d83a72813004902a99959bf27fab783ca6f75b48
    • Opcode Fuzzy Hash: 5ed91e07e0839688613360d8c824f7dba3c2e78ba33f32e74494f403ed37fe67
    • Instruction Fuzzy Hash: BD616C75904248AFDB11DFA8CC81EEEB7F8FB49710F104569FA15AB2A1C770AD42DB60
    Function 009B6EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
    Download Yara Rule
    APIs
    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009B6F15
    • SafeArrayAllocData.OLEAUT32(?), ref: 009B6F6E
    • VariantInit.OLEAUT32(?), ref: 009B6F80
    • SafeArrayAccessData.OLEAUT32(?,?), ref: 009B6FA0
    • VariantCopy.OLEAUT32(?,?), ref: 009B6FF3
    • SafeArrayUnaccessData.OLEAUT32(?), ref: 009B7007
    • VariantClear.OLEAUT32(?), ref: 009B701C
    • SafeArrayDestroyData.OLEAUT32(?), ref: 009B7029
    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009B7032
    • VariantClear.OLEAUT32(?), ref: 009B7044
    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009B704F
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
    • String ID:
    • API String ID: 2706829360-0
    • Opcode ID: 20109a77c95dda32dbe2da3fcd6765390f8749f1c3096f5516443aadefd688b5
    • Instruction ID: 9ff9a147404d0518e1a83d278685c93342fe1f2dda31c87392f99b4015e7d835
    • Opcode Fuzzy Hash: 20109a77c95dda32dbe2da3fcd6765390f8749f1c3096f5516443aadefd688b5
    • Instruction Fuzzy Hash: B94161319041199FCF00EFA4D998DEEBBB9EF48310F00806AE915AB2A1DB34AD45DB90
    Function 009D5848 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
    Download Yara Rule
    APIs
    • WSAStartup.WSOCK32(00000101,?), ref: 009D58A9
    • inet_addr.WSOCK32(?,?,?), ref: 009D58EE
    • gethostbyname.WSOCK32(?), ref: 009D58FA
    • IcmpCreateFile.IPHLPAPI ref: 009D5908
    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009D5978
    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009D598E
    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009D5A03
    • WSACleanup.WSOCK32 ref: 009D5A09
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
    • String ID: Ping
    • API String ID: 1028309954-2246546115
    • Opcode ID: 151a8ad144b712ab2569040c3593fcd78c7d9be9a81e120f7b23c0e5321fe99b
    • Instruction ID: d7a939b3633078708e0167b382dabd7fefb5c0276a21c96dedf88a30dea7d3c5
    • Opcode Fuzzy Hash: 151a8ad144b712ab2569040c3593fcd78c7d9be9a81e120f7b23c0e5321fe99b
    • Instruction Fuzzy Hash: EF514D31644701DFDB20AF64CC95B2AB7E4EB88720F15892AF996DB3A1DB74ED00DB41
    Function 009CB54F Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00000001), ref: 009CB55C
    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009CB5D2
    • GetLastError.KERNEL32 ref: 009CB5DC
    • SetErrorMode.KERNEL32(00000000,READY), ref: 009CB649
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Error$Mode$DiskFreeLastSpace
    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
    • API String ID: 4194297153-14809454
    • Opcode ID: d322f16c891deb53cb6dc68563a8a8df84a1c514eea70604f54aebb7fdb4ecb3
    • Instruction ID: 37b9a09edd31c153412f24a16ec42b4b99167430af0b75a895ceaa9af38a53b1
    • Opcode Fuzzy Hash: d322f16c891deb53cb6dc68563a8a8df84a1c514eea70604f54aebb7fdb4ecb3
    • Instruction Fuzzy Hash: 7531AF75E08209AFDB00DFA4C986FADB7B8FF44350F14842AF5019B291DB749E41CB92
    Function 009B9251 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
      • Part of subcall function 009BAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 009BAEC7
    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 009B92D6
    • GetDlgCtrlID.USER32 ref: 009B92E1
    • GetParent.USER32 ref: 009B92FD
    • SendMessageW.USER32(00000000,?,00000111,?), ref: 009B9300
    • GetDlgCtrlID.USER32(?), ref: 009B9309
    • GetParent.USER32(?), ref: 009B9325
    • SendMessageW.USER32(00000000,?,?,00000111), ref: 009B9328
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$CtrlParent$ClassName_memmove
    • String ID: ComboBox$ListBox
    • API String ID: 1536045017-1403004172
    • Opcode ID: 182b97e8bc286e6985a0af5527a308c76b0d96e5c45c63d7ae7768ac8afafaaa
    • Instruction ID: 2a30faee7208d352d4d1fa0879d47ec4ca8296f782ad8e3029f8ae07a33ad3ed
    • Opcode Fuzzy Hash: 182b97e8bc286e6985a0af5527a308c76b0d96e5c45c63d7ae7768ac8afafaaa
    • Instruction Fuzzy Hash: CC210370E04248BBCF00ABA4CCD5EFEBBB8EF89310F100166B961972E1DB795915DA20
    Function 009B933C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
      • Part of subcall function 009BAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 009BAEC7
    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009B93BF
    • GetDlgCtrlID.USER32 ref: 009B93CA
    • GetParent.USER32 ref: 009B93E6
    • SendMessageW.USER32(00000000,?,00000111,?), ref: 009B93E9
    • GetDlgCtrlID.USER32(?), ref: 009B93F2
    • GetParent.USER32(?), ref: 009B940E
    • SendMessageW.USER32(00000000,?,?,00000111), ref: 009B9411
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$CtrlParent$ClassName_memmove
    • String ID: ComboBox$ListBox
    • API String ID: 1536045017-1403004172
    • Opcode ID: 2c089d8c4f3ef5148812acb316af0b50e946e19fdf4c4fb5930432ea8a260fac
    • Instruction ID: 569fa3a415b5e62499054021e414a8d26f8cc22b27eb91e35a65784ab16b8aab
    • Opcode Fuzzy Hash: 2c089d8c4f3ef5148812acb316af0b50e946e19fdf4c4fb5930432ea8a260fac
    • Instruction Fuzzy Hash: BF214970A04248BBCF00ABA4CCD5FFEBBB8EF84310F104026F911971A2DB798915DB20
    Function 009B9425 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32 ref: 009B9431
    • GetClassNameW.USER32(00000000,?,00000100), ref: 009B9446
    • _wcscmp.LIBCMT ref: 009B9458
    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009B94D3
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ClassMessageNameParentSend_wcscmp
    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
    • API String ID: 1704125052-3381328864
    • Opcode ID: b8a6adaf55c89b95d14066c01571065f289172c2cf718f7383f63ae2381cd582
    • Instruction ID: 116452ee5eaa11be267b484be3272f799a1cd46d0278f67e2db34299e30e04b0
    • Opcode Fuzzy Hash: b8a6adaf55c89b95d14066c01571065f289172c2cf718f7383f63ae2381cd582
    • Instruction Fuzzy Hash: 0C110A3A25C32ABAF6102A24AD07DEA37AD9B05730B208027FA05A41F1FEA259525694
    Function 009D89C0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
    Download Yara Rule
    APIs
    • VariantInit.OLEAUT32(?), ref: 009D89EC
    • CoInitialize.OLE32(00000000), ref: 009D8A19
    • CoUninitialize.OLE32 ref: 009D8A23
    • GetRunningObjectTable.OLE32(00000000,?), ref: 009D8B23
    • SetErrorMode.KERNEL32(00000001,00000029), ref: 009D8C50
    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,009F2C0C), ref: 009D8C84
    • CoGetObject.OLE32(?,00000000,009F2C0C,?), ref: 009D8CA7
    • SetErrorMode.KERNEL32(00000000), ref: 009D8CBA
    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009D8D3A
    • VariantClear.OLEAUT32(?), ref: 009D8D4A
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
    • String ID:
    • API String ID: 2395222682-0
    • Opcode ID: b7b60f77380ea09ab7dcc82b2342567f52c62eca290f1c8be67051e1b8d1e802
    • Instruction ID: 6aab8b99e71a3de0c9159b108ef2e6cde8257ee4f3da7e6435b48c247a6f9b23
    • Opcode Fuzzy Hash: b7b60f77380ea09ab7dcc82b2342567f52c62eca290f1c8be67051e1b8d1e802
    • Instruction Fuzzy Hash: 6EC1F4B1608305AFD700DF64C884A2BB7E9FF89748F04895EF58A9B291DB71ED05CB52
    Function 009C7A39 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
    Download Yara Rule
    APIs
    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 009C7B15
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ArraySafeVartype
    • String ID:
    • API String ID: 1725837607-0
    • Opcode ID: a4f8ad26e8405c9219fd0bdce4e1a6c886dbed34be8d7fa3cf7fe3010355a188
    • Instruction ID: 959ca6c8c301988f8654607ce45a12c9b6401cd6b3c58a010a54350859fdef8f
    • Opcode Fuzzy Hash: a4f8ad26e8405c9219fd0bdce4e1a6c886dbed34be8d7fa3cf7fe3010355a188
    • Instruction Fuzzy Hash: 7FB18C71D0821A9FDB10DFE4C895BBEB7B8EF48321F24446DE501AB291D734A945CFA2
    Function 009C14FF Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 009C1521
    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,009C0599,?,00000001), ref: 009C1535
    • GetWindowThreadProcessId.USER32(00000000), ref: 009C153C
    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009C0599,?,00000001), ref: 009C154B
    • GetWindowThreadProcessId.USER32(?,00000000), ref: 009C155D
    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009C0599,?,00000001), ref: 009C1576
    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009C0599,?,00000001), ref: 009C1588
    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009C0599,?,00000001), ref: 009C15CD
    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,009C0599,?,00000001), ref: 009C15E2
    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,009C0599,?,00000001), ref: 009C15ED
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
    • String ID:
    • API String ID: 2156557900-0
    • Opcode ID: ed1eed9040ceb2b6a218559831a46ce1c5e5b566e64b669f9b7ede6f7106def4
    • Instruction ID: e95dad43e87907832e73cadd1e5c1c50f728111be8b43287d3fc5e65cdf1c552
    • Opcode Fuzzy Hash: ed1eed9040ceb2b6a218559831a46ce1c5e5b566e64b669f9b7ede6f7106def4
    • Instruction Fuzzy Hash: 7231D171901248BFDF20DF98ED84F7937ADAF85351F10402AF801CA1A1D7749D429B65
    Function 0096FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
    Download Yara Rule
    APIs
    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0096FC06
    • OleUninitialize.OLE32(?,00000000), ref: 0096FCA5
    • UnregisterHotKey.USER32(?), ref: 0096FDFC
    • DestroyWindow.USER32(?), ref: 009A492F
    • FreeLibrary.KERNEL32(?), ref: 009A4994
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 009A49C1
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
    • String ID: close all
    • API String ID: 469580280-3243417748
    • Opcode ID: 4056a14c5d71c6a338d9ac89e6af1e55cecebe351d95dd33b250e8c57e6fe7c0
    • Instruction ID: 4147f4b6f35cebf33de4ff503d557f2c6ac06fb6aa0ab03173dbc0861c589dae
    • Opcode Fuzzy Hash: 4056a14c5d71c6a338d9ac89e6af1e55cecebe351d95dd33b250e8c57e6fe7c0
    • Instruction Fuzzy Hash: B9A19331701212CFCB29EF14D5A5B6AF768BF85700F1542ADE84AAB261DB70ED16CF90
    Function 009BA473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
    Download Yara Rule
    APIs
    • EnumChildWindows.USER32(?,009BA844), ref: 009BA782
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ChildEnumWindows
    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
    • API String ID: 3555792229-1603158881
    • Opcode ID: 56ee65a1d9c7a0ea1113013218168624994a6c6d1faf5c7f0f73334ae0c7cd6c
    • Instruction ID: e72b2517a6b748b6d1fa47c23ef0854ab89a0cfc4fc056c7544ce873543be789
    • Opcode Fuzzy Hash: 56ee65a1d9c7a0ea1113013218168624994a6c6d1faf5c7f0f73334ae0c7cd6c
    • Instruction Fuzzy Hash: 2791F470A04605EBCB58EF70C5D2BEDFB78BF44324F148119E89AA7251DF30A999CB91
    Function 00962E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
    Download Yara Rule
    APIs
    • SetWindowLongW.USER32(?,000000EB), ref: 00962EAE
      • Part of subcall function 00961DB3: GetClientRect.USER32(?,?), ref: 00961DDC
      • Part of subcall function 00961DB3: GetWindowRect.USER32(?,?), ref: 00961E1D
      • Part of subcall function 00961DB3: ScreenToClient.USER32(?,?), ref: 00961E45
    • GetDC.USER32 ref: 0099CEB2
    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0099CEC5
    • SelectObject.GDI32(00000000,00000000), ref: 0099CED3
    • SelectObject.GDI32(00000000,00000000), ref: 0099CEE8
    • ReleaseDC.USER32(?,00000000), ref: 0099CEF0
    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0099CF7B
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
    • String ID: U
    • API String ID: 4009187628-3372436214
    • Opcode ID: f2743fe223552c0b4dc956c2080242eb6990b995c02e1bbc5d4f1643b391fd60
    • Instruction ID: d2a7222e4d86ed77641d7317025c50f01146a394f5fd4bf6669f5a338dfe7f1d
    • Opcode Fuzzy Hash: f2743fe223552c0b4dc956c2080242eb6990b995c02e1bbc5d4f1643b391fd60
    • Instruction Fuzzy Hash: F0718071500605DFCF228F68CC94ABA7BBAFF48350F14466AFD565A2A6C7319C41DB60
    Function 009D1B2B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
    Download Yara Rule
    APIs
    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009D1B66
    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009D1B92
    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 009D1BD4
    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009D1BE9
    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009D1BF6
    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 009D1C26
    • InternetCloseHandle.WININET(00000000), ref: 009D1C6D
      • Part of subcall function 009D2599: GetLastError.KERNEL32(?,?,009D192D,00000000,00000000,00000001), ref: 009D25AE
      • Part of subcall function 009D2599: SetEvent.KERNEL32(?,?,009D192D,00000000,00000000,00000001), ref: 009D25C3
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
    • String ID:
    • API String ID: 2603140658-3916222277
    • Opcode ID: 38177af6c40f48a4b6b3d3f11116478b5d6aaaf701b95994d0ef5466a1b3f23d
    • Instruction ID: 5c7e8e4425fe2630ba2382d6337fae606fbabaa0a131d1b3781759438867671e
    • Opcode Fuzzy Hash: 38177af6c40f48a4b6b3d3f11116478b5d6aaaf701b95994d0ef5466a1b3f23d
    • Instruction Fuzzy Hash: 3041B1B2594218BFEB118F60CC89FBB77ACEF48354F00812BF9059A251E775DE449BA0
    Function 009D8D5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,009EF910), ref: 009D8E3D
    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,009EF910), ref: 009D8E71
    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009D8FEB
    • SysFreeString.OLEAUT32(?), ref: 009D9015
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Free$FileLibraryModuleNamePathQueryStringType
    • String ID:
    • API String ID: 560350794-0
    • Opcode ID: 6b480f9f6ae668f74a0fa312ee29d29f84c09e4975dfb004b7a2e095b0fa8818
    • Instruction ID: 4a2e56e610be2adf8cb1fb0edabd41d3f37d1acb2f6cc3c60622076d72f51b6f
    • Opcode Fuzzy Hash: 6b480f9f6ae668f74a0fa312ee29d29f84c09e4975dfb004b7a2e095b0fa8818
    • Instruction Fuzzy Hash: A2F13D71A40119EFCF04DF94C888EAEB7B9FF89315F10845AF515AB291DB31AE45CB90
    Function 009DF7A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 009DF7C9
    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009DF95C
    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009DF980
    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009DF9C0
    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009DF9E2
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009DFB5E
    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009DFB90
    • CloseHandle.KERNEL32(?), ref: 009DFBBF
    • CloseHandle.KERNEL32(?), ref: 009DFC36
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
    • String ID:
    • API String ID: 4090791747-0
    • Opcode ID: 270555d4dac3cf1145ca0d8d8025ee33916771235122d9255679996ca96d42c1
    • Instruction ID: 6056af2bb2ad1b9263542d0b859f85daee45abdb1c8e2bad61de2a9b9e6ddad0
    • Opcode Fuzzy Hash: 270555d4dac3cf1145ca0d8d8025ee33916771235122d9255679996ca96d42c1
    • Instruction Fuzzy Hash: 8EE1A2316443419FC714EF24C4A2B6ABBE5AFC5354F14846EF88A9B3A2DB30DC45CB52
    Function 009C4D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009C46AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009C36DB,?), ref: 009C46CC
      • Part of subcall function 009C46AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009C36DB,?), ref: 009C46E5
      • Part of subcall function 009C4AD8: GetFileAttributesW.KERNEL32(?,009C374F), ref: 009C4AD9
    • lstrcmpiW.KERNEL32(?,?), ref: 009C4DE7
    • _wcscmp.LIBCMT ref: 009C4E01
    • MoveFileW.KERNEL32(?,?), ref: 009C4E1C
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
    • String ID:
    • API String ID: 793581249-0
    • Opcode ID: 6a2ddbde8d13ccc186b6e0ff734a64825817c557f68d2311981c33ff585fab8c
    • Instruction ID: 8319e04ebc1968b9fa312b1fcc244e148abb040cd6d98e5024437374d60b341c
    • Opcode Fuzzy Hash: 6a2ddbde8d13ccc186b6e0ff734a64825817c557f68d2311981c33ff585fab8c
    • Instruction Fuzzy Hash: 2C5134B25083859BC724EBA4D891FDFB7ECAFC4300F10492EB585D7191EF34A6888766
    Function 009E8677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
    Download Yara Rule
    APIs
    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009E8731
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: InvalidateRect
    • String ID:
    • API String ID: 634782764-0
    • Opcode ID: f044a122cc78a52e44aeb252fa4796865b664cd61909284d350bb6f5012042b6
    • Instruction ID: 1dcd79346e3269e934e30e8d3d6546ff32be1ef4fc192c08bdd19d6b16a8b085
    • Opcode Fuzzy Hash: f044a122cc78a52e44aeb252fa4796865b664cd61909284d350bb6f5012042b6
    • Instruction Fuzzy Hash: 0251BA70500294BFDF229BAACC95B5B3B68FB05710F604915FA29EA1E1CF75ED40DB50
    Function 00962B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
    Download Yara Rule
    APIs
    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0099C477
    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0099C499
    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0099C4B1
    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0099C4CF
    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0099C4F0
    • DestroyIcon.USER32(00000000), ref: 0099C4FF
    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0099C51C
    • DestroyIcon.USER32(?), ref: 0099C52B
      • Part of subcall function 009EA4E1: DeleteObject.GDI32(00000000), ref: 009EA51A
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
    • String ID:
    • API String ID: 2819616528-0
    • Opcode ID: 5b9885e6aae35fef1691407336afd7c1b854bfc9e162ce5514d283226bd05aa4
    • Instruction ID: 2316defe9651a0e04bd22e913b374f5201f345e9a8664a2238658ad1f2607c7d
    • Opcode Fuzzy Hash: 5b9885e6aae35fef1691407336afd7c1b854bfc9e162ce5514d283226bd05aa4
    • Instruction Fuzzy Hash: 16516970A10609EFDB20DF28DC95FAA37A9FB59710F104529F9429B2A0D770ED81EB50
    Function 009B9930 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009BAC37: GetWindowThreadProcessId.USER32(?,00000000), ref: 009BAC57
      • Part of subcall function 009BAC37: GetCurrentThreadId.KERNEL32 ref: 009BAC5E
      • Part of subcall function 009BAC37: AttachThreadInput.USER32(00000000,?,009B9945,?,00000001), ref: 009BAC65
    • MapVirtualKeyW.USER32(00000025,00000000), ref: 009B9950
    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009B996D
    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 009B9970
    • MapVirtualKeyW.USER32(00000025,00000000), ref: 009B9979
    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009B9997
    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009B999A
    • MapVirtualKeyW.USER32(00000025,00000000), ref: 009B99A3
    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009B99BA
    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009B99BD
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
    • String ID:
    • API String ID: 2014098862-0
    • Opcode ID: d9b6d85cb7e16906bcf8f82da0072518a8fdb68baa4d02773a30be78c8853019
    • Instruction ID: 50ad93308a4b5e60e0e0f9dc6514ebacb582c0a2855529d67be68ff05e6db591
    • Opcode Fuzzy Hash: d9b6d85cb7e16906bcf8f82da0072518a8fdb68baa4d02773a30be78c8853019
    • Instruction Fuzzy Hash: BA11C671564258BFF6106B60CC89FAA7F2DDB4D765F100426F2449B0D0C9F25C109AA4
    Function 009B8BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(00000008,0000000C), ref: 009B8BEC
    • HeapAlloc.KERNEL32(00000000), ref: 009B8BF3
    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 009B8C08
    • GetCurrentProcess.KERNEL32(?,00000000), ref: 009B8C10
    • DuplicateHandle.KERNEL32(00000000), ref: 009B8C13
    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 009B8C23
    • GetCurrentProcess.KERNEL32(?,00000000), ref: 009B8C2B
    • DuplicateHandle.KERNEL32(00000000), ref: 009B8C2E
    • CreateThread.KERNEL32(00000000,00000000,009B8C54,00000000,00000000,00000000), ref: 009B8C48
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
    • String ID:
    • API String ID: 1957940570-0
    • Opcode ID: 3f3ce17bd84675272f763cd7a4c882a7439a41f79a66dec843bf3670bc6b5bd8
    • Instruction ID: 8392dbd3a8cd806b78102059498200a817f2b18f5fa417aabd52702423318608
    • Opcode Fuzzy Hash: 3f3ce17bd84675272f763cd7a4c882a7439a41f79a66dec843bf3670bc6b5bd8
    • Instruction Fuzzy Hash: A501ACB5254348FFE710AB65DC89F573B6CEB89711F018421FA05DF191CA709C00DA20
    Function 009D9C38 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID: NULL Pointer assignment$Not an Object type
    • API String ID: 0-572801152
    • Opcode ID: 2cd64633379a35f8ac53ff616bb5dba406a717b7579de1b0324886e5634fad85
    • Instruction ID: e5ad9721cc0e385f9f16c05d0c7e071b5c25fc32ece90fefed5e650071bc8c93
    • Opcode Fuzzy Hash: 2cd64633379a35f8ac53ff616bb5dba406a717b7579de1b0324886e5634fad85
    • Instruction Fuzzy Hash: 59C17371A402199FDF10EFA8C984BAEB7B9FB48314F14856AF905EB381D7709D45CB60
    Function 009D9228 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Variant$ClearInit$_memset
    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
    • API String ID: 2862541840-625585964
    • Opcode ID: 833be28cf9cfe44bc5ca768998832c53bfea886e40690844be637ad093e6e737
    • Instruction ID: 2cfd911b82638f7805940091e3562803d6629bc573a2ffd04302838e8532e2c8
    • Opcode Fuzzy Hash: 833be28cf9cfe44bc5ca768998832c53bfea886e40690844be637ad093e6e737
    • Instruction Fuzzy Hash: D391CF70A40219AFCF24EFA4C844FAEBBB8EF85310F10C55AF509AB291D7749941CFA0
    Function 009D9872 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009B7432: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B736C,80070057,?,?,?,009B777D), ref: 009B744F
      • Part of subcall function 009B7432: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B736C,80070057,?,?), ref: 009B746A
      • Part of subcall function 009B7432: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B736C,80070057,?,?), ref: 009B7478
      • Part of subcall function 009B7432: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B736C,80070057,?), ref: 009B7488
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 009D991B
    • _memset.LIBCMT ref: 009D9928
    • _memset.LIBCMT ref: 009D9A6B
    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 009D9A97
    • CoTaskMemFree.OLE32(?), ref: 009D9AA2
    Strings
    • NULL Pointer assignment, xrefs: 009D9AF0
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
    • String ID: NULL Pointer assignment
    • API String ID: 1300414916-2785691316
    • Opcode ID: 0675ab945be51b8c93b771c521d82f09bde5633581c2e3d0df0e53d33554ee80
    • Instruction ID: 55a9ba601c8a320d449ce1d12f014448b7a481565960b1548146e7f7d20fcec3
    • Opcode Fuzzy Hash: 0675ab945be51b8c93b771c521d82f09bde5633581c2e3d0df0e53d33554ee80
    • Instruction Fuzzy Hash: 52913A71D00229EBDB10EFA4DC81EDEBBB9EF48710F10815AF519A7291DB709A44CFA0
    Function 009E6DB2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009E6E56
    • SendMessageW.USER32(?,00001036,00000000,?), ref: 009E6E6A
    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009E6E84
    • _wcscat.LIBCMT ref: 009E6EDF
    • SendMessageW.USER32(?,00001057,00000000,?), ref: 009E6EF6
    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 009E6F24
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$Window_wcscat
    • String ID: SysListView32
    • API String ID: 307300125-78025650
    • Opcode ID: 9f68f05676b060cba4357f5b6da76cacbe1135a2c19e4b4f229dd1b5c48cead0
    • Instruction ID: d794b33e3ac864117492bd513b9ff9dde383bab1ce4d74297cf25ef3d911056b
    • Opcode Fuzzy Hash: 9f68f05676b060cba4357f5b6da76cacbe1135a2c19e4b4f229dd1b5c48cead0
    • Instruction Fuzzy Hash: 8F41A175A00388AFDB229F65CC85BEE77A8EF48790F10082AF585E71D1D2729D94CB50
    Function 009DEA47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009C3C99: CreateToolhelp32Snapshot.KERNEL32 ref: 009C3CBE
      • Part of subcall function 009C3C99: Process32FirstW.KERNEL32(00000000,?), ref: 009C3CCC
      • Part of subcall function 009C3C99: CloseHandle.KERNEL32(00000000), ref: 009C3D96
    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009DEAB8
    • GetLastError.KERNEL32 ref: 009DEACB
    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009DEAFA
    • TerminateProcess.KERNEL32(00000000,00000000), ref: 009DEB77
    • GetLastError.KERNEL32(00000000), ref: 009DEB82
    • CloseHandle.KERNEL32(00000000), ref: 009DEBB7
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
    • String ID: SeDebugPrivilege
    • API String ID: 2533919879-2896544425
    • Opcode ID: 755f5e45231a0203eaa3f1f8b705557ce16f7c14076697f5a2c436251136579d
    • Instruction ID: 055eb18636bcd779a952f8425ea9ae1b4cb8fb1ba3d55e4996c09bd6461e4c09
    • Opcode Fuzzy Hash: 755f5e45231a0203eaa3f1f8b705557ce16f7c14076697f5a2c436251136579d
    • Instruction Fuzzy Hash: 3F41AC316442019FDB14EF54CDA6F6EB7A9AF84314F08845AF8469F3D2CB78AC04DB96
    Function 009C302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
    Download Yara Rule
    APIs
    • LoadIconW.USER32(00000000,00007F03), ref: 009C30CD
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: IconLoad
    • String ID: blank$info$question$stop$warning
    • API String ID: 2457776203-404129466
    • Opcode ID: 9578ca5bb324d460362d7190d5eb13330f2363de50952d584bf5792164fc40dc
    • Instruction ID: b059c21f2b55bd6e76effe1b4132a2bc886dcffcc60db3a4996e64305f366db0
    • Opcode Fuzzy Hash: 9578ca5bb324d460362d7190d5eb13330f2363de50952d584bf5792164fc40dc
    • Instruction Fuzzy Hash: 6D11BB37A0834BBAE720EE55DC82EAA779CDF09724F20C02EF50156281DEB55F4146A6
    Function 009C4339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009C4353
    • LoadStringW.USER32(00000000), ref: 009C435A
    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009C4370
    • LoadStringW.USER32(00000000), ref: 009C4377
    • _wprintf.LIBCMT ref: 009C439D
    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 009C43BB
    Strings
    • %s (%d) : ==> %s: %s %s, xrefs: 009C4398
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: HandleLoadModuleString$Message_wprintf
    • String ID: %s (%d) : ==> %s: %s %s
    • API String ID: 3648134473-3128320259
    • Opcode ID: 610b784f050c8f19457b18ae32054d9a733b42ca449e4037d06589a2abcb0e58
    • Instruction ID: 8d5f1778b8864827ed724a7981858092939bd5ac84efc00be85909e32bb65a54
    • Opcode Fuzzy Hash: 610b784f050c8f19457b18ae32054d9a733b42ca449e4037d06589a2abcb0e58
    • Instruction Fuzzy Hash: A101A2F390424CBFE721ABA0DDD9FE6736CE708700F0005A6BB05E6011EA349E845B71
    Function 009ED4A8 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623
    • GetSystemMetrics.USER32(0000000F), ref: 009ED4E6
    • GetSystemMetrics.USER32(0000000F), ref: 009ED506
    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 009ED741
    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009ED75F
    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009ED780
    • ShowWindow.USER32(00000003,00000000), ref: 009ED79F
    • InvalidateRect.USER32(?,00000000,00000001), ref: 009ED7C4
    • DefDlgProcW.USER32(?,00000005,?,?), ref: 009ED7E7
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
    • String ID:
    • API String ID: 1211466189-0
    • Opcode ID: f63fbe697f53347dddd421763932a87a867ccf3186ce3b89f9edc7d064d57f16
    • Instruction ID: 7ad639e13bde95f7000524c44c691a6d920555f2a925b85fe3910db38ef17f77
    • Opcode Fuzzy Hash: f63fbe697f53347dddd421763932a87a867ccf3186ce3b89f9edc7d064d57f16
    • Instruction Fuzzy Hash: 42B19871601269EFDF15CF2AC9C57AE7BB5BF04700F088069EC489E295D735AE50CB50
    Function 009DFD9C Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
      • Part of subcall function 009E0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DFE38,?,?), ref: 009E0EBC
    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009DFE79
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: BuffCharConnectRegistryUpper_memmove
    • String ID:
    • API String ID: 3479070676-0
    • Opcode ID: 2c6bef536b911465df339db36ced2c113cf49d9272adbd885e150d11a8dd2da7
    • Instruction ID: 5a90e06816a5f1b4d9268a2a1edc59616fe57dba5adad1f91d4321f6bed3ebb0
    • Opcode Fuzzy Hash: 2c6bef536b911465df339db36ced2c113cf49d9272adbd885e150d11a8dd2da7
    • Instruction Fuzzy Hash: 6BA16A312082019FCB11EF54C8A1B6EB7E5EF84314F18882DF8969B2A2DB75ED45DF81
    Function 00962A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
    Download Yara Rule
    APIs
    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0099C347,00000004,00000000,00000000,00000000), ref: 00962ACF
    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0099C347,00000004,00000000,00000000,00000000,000000FF), ref: 00962B17
    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0099C347,00000004,00000000,00000000,00000000), ref: 0099C39A
    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0099C347,00000004,00000000,00000000,00000000), ref: 0099C406
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ShowWindow
    • String ID:
    • API String ID: 1268545403-0
    • Opcode ID: 509ba8719bdaa0587c3e0009e80a7098cd23d3aa0147f13449d343aac411c2aa
    • Instruction ID: 203f1908403ccbed984ec7b0b828db89413ba58fa9ef2a48ff1913f0b2a8832d
    • Opcode Fuzzy Hash: 509ba8719bdaa0587c3e0009e80a7098cd23d3aa0147f13449d343aac411c2aa
    • Instruction Fuzzy Hash: 5A41F870618F80ABDB358BBC9CDDB7A7B9ABB85300F54CD1DE0878A5A0C6B59C41E710
    Function 009C716F Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
    Download Yara Rule
    APIs
    • InterlockedExchange.KERNEL32(?,000001F5), ref: 009C7186
      • Part of subcall function 00980F36: std::exception::exception.LIBCMT ref: 00980F6C
      • Part of subcall function 00980F36: __CxxThrowException@8.LIBCMT ref: 00980F81
    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 009C71BD
    • EnterCriticalSection.KERNEL32(?), ref: 009C71D9
    • _memmove.LIBCMT ref: 009C7227
    • _memmove.LIBCMT ref: 009C7244
    • LeaveCriticalSection.KERNEL32(?), ref: 009C7253
    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009C7268
    • InterlockedExchange.KERNEL32(?,000001F6), ref: 009C7287
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
    • String ID:
    • API String ID: 256516436-0
    • Opcode ID: fd68065772ab127f0f76cb736b330a78bda16ff6f9edbdea73012f14bf0cfa43
    • Instruction ID: 0fb8f2d7bc0d1d2fa639b4557016df5818e2d581e6270e1b6e5c11b156129ee4
    • Opcode Fuzzy Hash: fd68065772ab127f0f76cb736b330a78bda16ff6f9edbdea73012f14bf0cfa43
    • Instruction Fuzzy Hash: 93317E31D04205EBCF50EFA4DC85EAAB778EF84310F1581AAFA04AB256D7309E15DBA1
    Function 009E6205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
    Download Yara Rule
    APIs
    • DeleteObject.GDI32(00000000), ref: 009E621D
    • GetDC.USER32(00000000), ref: 009E6225
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009E6230
    • ReleaseDC.USER32(00000000,00000000), ref: 009E623C
    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009E6278
    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009E6289
    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009E905C,?,?,000000FF,00000000,?,000000FF,?), ref: 009E62C3
    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009E62E3
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
    • String ID:
    • API String ID: 3864802216-0
    • Opcode ID: 3a5d2e8ffb30e84e63e7480168b9e46365db09342d883413993a605660e0b6bc
    • Instruction ID: 1aa026f5b2b356cd3375c9e772090fa115041e30d1069a403762af0e1068efe4
    • Opcode Fuzzy Hash: 3a5d2e8ffb30e84e63e7480168b9e46365db09342d883413993a605660e0b6bc
    • Instruction Fuzzy Hash: 69317A72214254BFEB118F51DC8AFAA3BADEF19761F044066FE08DE291C6759C41CBA4
    Function 009CEBAF Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
      • Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C
      • Part of subcall function 0097FE06: _wcscpy.LIBCMT ref: 0097FE29
    • _wcstok.LIBCMT ref: 009CED20
    • _wcscpy.LIBCMT ref: 009CEDAF
    • _memset.LIBCMT ref: 009CEDE2
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
    • String ID: X
    • API String ID: 774024439-3081909835
    • Opcode ID: 132a9fa6dab2ca2fb5a55d92b74f7f77d093b1e72a6e7f3a483b18b1955bc6a1
    • Instruction ID: 30cf45cefe1b10618b16e1b98fc545c5fefdf0e7abf9e3dfcd6db81120e1ab46
    • Opcode Fuzzy Hash: 132a9fa6dab2ca2fb5a55d92b74f7f77d093b1e72a6e7f3a483b18b1955bc6a1
    • Instruction Fuzzy Hash: 57C15B359083019FD724EF64C891F9AB7E4BF85354F14492DF89A9B2A2DB30ED45CB82
    Function 009D6C19 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
    Download Yara Rule
    APIs
    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 009D6D16
    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009D6D37
    • WSAGetLastError.WSOCK32(00000000), ref: 009D6D4A
    • htons.WSOCK32(?,?,?,00000000,?), ref: 009D6E00
    • inet_ntoa.WSOCK32(?), ref: 009D6DBD
      • Part of subcall function 009BABF4: _strlen.LIBCMT ref: 009BABFE
      • Part of subcall function 009BABF4: _memmove.LIBCMT ref: 009BAC20
    • _strlen.LIBCMT ref: 009D6E5A
    • _memmove.LIBCMT ref: 009D6EC3
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
    • String ID:
    • API String ID: 3619996494-0
    • Opcode ID: 0bb663872941a91fa1e052ee8fea598320a7c31bfb1a5c7f563e6e5c76bb194e
    • Instruction ID: 68f4759a3303df08f918410efa769eb93cc7ced01c997e84cbede60870db51f7
    • Opcode Fuzzy Hash: 0bb663872941a91fa1e052ee8fea598320a7c31bfb1a5c7f563e6e5c76bb194e
    • Instruction Fuzzy Hash: BE81CD31544300ABD710EF24CC92F6BB7E9EFC4714F14891AF5969B2A2DA71ED04CBA1
    Function 00961424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5eb319a6ef1c8aed63e73f0c538fdb39016fd6b33d21520be3fcf60d4a417278
    • Instruction ID: 562790d42587729c57f70d4778f18ea72f2cbf93b58f9499891709d1cd7cb4c0
    • Opcode Fuzzy Hash: 5eb319a6ef1c8aed63e73f0c538fdb39016fd6b33d21520be3fcf60d4a417278
    • Instruction Fuzzy Hash: BB715931904109EFCB04DF98CC89ABEBB79FF89314F188159F915AB261C734AA51DBA0
    Function 009EB385 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(00A55658), ref: 009EB41F
    • IsWindowEnabled.USER32(00A55658), ref: 009EB42B
    • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 009EB50F
    • SendMessageW.USER32(00A55658,000000B0,?,?), ref: 009EB546
    • IsDlgButtonChecked.USER32(?,?), ref: 009EB583
    • GetWindowLongW.USER32(00A55658,000000EC), ref: 009EB5A5
    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009EB5BD
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
    • String ID:
    • API String ID: 4072528602-0
    • Opcode ID: e200cfa86776c5ee565781f346ef37323139fc235c2444820df70ce0b79cc084
    • Instruction ID: 6fb8ab28720a1fef45e4ae3254d411fbccc7bef60b111ca3ebdb36c1b21275f2
    • Opcode Fuzzy Hash: e200cfa86776c5ee565781f346ef37323139fc235c2444820df70ce0b79cc084
    • Instruction Fuzzy Hash: 0C71ED34601284EFDB229F66C894FBBBBB9FF09300F144069F9859B2A2D731AD41DB10
    Function 009DF532 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 009DF55C
    • _memset.LIBCMT ref: 009DF625
    • ShellExecuteExW.SHELL32(?), ref: 009DF66A
      • Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
      • Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C
      • Part of subcall function 0097FE06: _wcscpy.LIBCMT ref: 0097FE29
    • GetProcessId.KERNEL32(00000000), ref: 009DF6E1
    • CloseHandle.KERNEL32(00000000), ref: 009DF710
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
    • String ID: @
    • API String ID: 3522835683-2766056989
    • Opcode ID: 266544b2c058740575781384ae23803fad99f80b0323f6c505663d9c62da761b
    • Instruction ID: ce1c53e246a2fb233a681042e9d9572aece009f953285255ac164061fb8b59a2
    • Opcode Fuzzy Hash: 266544b2c058740575781384ae23803fad99f80b0323f6c505663d9c62da761b
    • Instruction Fuzzy Hash: 41616075A006199FCF14EF94C591AAEBBF5FF88310F14846AE856AB761CB30AD41CB90
    Function 009C127E Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 009C12BD
    • GetKeyboardState.USER32(?), ref: 009C12D2
    • SetKeyboardState.USER32(?), ref: 009C1333
    • PostMessageW.USER32(?,00000101,00000010,?), ref: 009C1361
    • PostMessageW.USER32(?,00000101,00000011,?), ref: 009C1380
    • PostMessageW.USER32(?,00000101,00000012,?), ref: 009C13C6
    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 009C13E9
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessagePost$KeyboardState$Parent
    • String ID:
    • API String ID: 87235514-0
    • Opcode ID: 7ca20a1fa0f6f7da136a7fd19306625bbd25c5c6d60879dafc27ba31273a353e
    • Instruction ID: f0bcb745fac088bba9ba83509d152d44b9312858e26e3fb748a80920b97a584c
    • Opcode Fuzzy Hash: 7ca20a1fa0f6f7da136a7fd19306625bbd25c5c6d60879dafc27ba31273a353e
    • Instruction Fuzzy Hash: 6F51E3A0E087D53EFB3642348C45FBA7EAD6F47308F08858DE0D5498D3C698AD94D766
    Function 009C1097 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(00000000), ref: 009C10D6
    • GetKeyboardState.USER32(?), ref: 009C10EB
    • SetKeyboardState.USER32(?), ref: 009C114C
    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009C1178
    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009C1195
    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009C11D9
    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009C11FA
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessagePost$KeyboardState$Parent
    • String ID:
    • API String ID: 87235514-0
    • Opcode ID: a480699e8746d8a80b54b48dee4c760134cdd47b84fa61887c91ab95cee50b95
    • Instruction ID: 5996a713282935e3c0b761d42a9ee2c04f45fece33a2e5d9064460427e082e2f
    • Opcode Fuzzy Hash: a480699e8746d8a80b54b48dee4c760134cdd47b84fa61887c91ab95cee50b95
    • Instruction Fuzzy Hash: 3151C3A0D087D63DFB3687248C55F7A7EAD6B47300F0C858DE1D54A8C3D298AC98E75A
    Function 009C56A4 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _wcsncpy$LocalTime
    • String ID:
    • API String ID: 2945705084-0
    • Opcode ID: bb35018782a4ff4f3c3c2315f5841e6c4fa5ed021ab63d1cd117aa9ac572fb7c
    • Instruction ID: 4ca4f5cd232fcc0d5f659c4a9c642a8326d83cbebe1c7d1f4bff626038c75ebb
    • Opcode Fuzzy Hash: bb35018782a4ff4f3c3c2315f5841e6c4fa5ed021ab63d1cd117aa9ac572fb7c
    • Instruction Fuzzy Hash: A141B1A5C2061479CB11FBB49886FCFB7B89F45310F118466F918E3261E638E745C7A6
    Function 009C36B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009C46AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009C36DB,?), ref: 009C46CC
      • Part of subcall function 009C46AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009C36DB,?), ref: 009C46E5
    • lstrcmpiW.KERNEL32(?,?), ref: 009C36FB
    • _wcscmp.LIBCMT ref: 009C3717
    • MoveFileW.KERNEL32(?,?), ref: 009C372F
    • _wcscat.LIBCMT ref: 009C3777
    • SHFileOperationW.SHELL32(?), ref: 009C37E3
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
    • String ID: \*.*
    • API String ID: 1377345388-1173974218
    • Opcode ID: 07e3056de4ab5abe5a363e6480f16aa212949b298f85e0eb7f8bdac50e6fa808
    • Instruction ID: 9e1a43103efb025c04d8cae26b77f6e501cfeaca677e13487db69bdfebe52f39
    • Opcode Fuzzy Hash: 07e3056de4ab5abe5a363e6480f16aa212949b298f85e0eb7f8bdac50e6fa808
    • Instruction Fuzzy Hash: AB416DB29083459EC755EB64D441FDBB7ECAF88380F00892EB49AC3151EA34D748C757
    Function 009E72C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 009E72DC
    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009E7383
    • IsMenu.USER32(?), ref: 009E739B
    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009E73E3
    • DrawMenuBar.USER32 ref: 009E73F6
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Menu$Item$DrawInfoInsert_memset
    • String ID: 0
    • API String ID: 3866635326-4108050209
    • Opcode ID: 7f2ff67eacfa2bcb9d383679d07bcec7b28c3fe55f8f6a5079105f942ec3a7e7
    • Instruction ID: 4e74cc40a0190b8c611975a71e93985da928cddac446d24272996c91cd6b1d65
    • Opcode Fuzzy Hash: 7f2ff67eacfa2bcb9d383679d07bcec7b28c3fe55f8f6a5079105f942ec3a7e7
    • Instruction Fuzzy Hash: 35413E75A04248EFDB22DF95E884AAABBF9FB04314F048029FD1597260D730AD51DF91
    Function 009E102D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
    Download Yara Rule
    APIs
    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 009E105C
    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009E1086
    • FreeLibrary.KERNEL32(00000000), ref: 009E113D
      • Part of subcall function 009E102D: RegCloseKey.ADVAPI32(?), ref: 009E10A3
      • Part of subcall function 009E102D: FreeLibrary.KERNEL32(?), ref: 009E10F5
      • Part of subcall function 009E102D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 009E1118
    • RegDeleteKeyW.ADVAPI32(?,?), ref: 009E10E0
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: EnumFreeLibrary$CloseDeleteOpen
    • String ID:
    • API String ID: 395352322-0
    • Opcode ID: 14d676fe950c77acac2ca60095baaf76f59eb1fef50af408074c7cd7f49ebd12
    • Instruction ID: e37cecb41b9f11c62a5605cf4b762fb9f1c13ec3f420e3b9c2d46db405fcc7c8
    • Opcode Fuzzy Hash: 14d676fe950c77acac2ca60095baaf76f59eb1fef50af408074c7cd7f49ebd12
    • Instruction Fuzzy Hash: 93315AB1915149BFDB16DB91DC99EFFB7BCEF09301F00016AE502A2141EB749F85ABA0
    Function 009E62FF Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 009E631E
    • GetWindowLongW.USER32(00A55658,000000F0), ref: 009E6351
    • GetWindowLongW.USER32(00A55658,000000F0), ref: 009E6386
    • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 009E63B8
    • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 009E63E2
    • GetWindowLongW.USER32(?,000000F0), ref: 009E63F3
    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 009E640D
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: LongWindow$MessageSend
    • String ID:
    • API String ID: 2178440468-0
    • Opcode ID: 3c18bf3d1a23c0dc1c1b6a369873272f43ff94cdbcd3f674b41aa6955a4e900a
    • Instruction ID: e87553ecb8ba4d8544dac3c4510490b1a7d4f985d7fc6bbe94e74704da72c995
    • Opcode Fuzzy Hash: 3c18bf3d1a23c0dc1c1b6a369873272f43ff94cdbcd3f674b41aa6955a4e900a
    • Instruction Fuzzy Hash: 2031F330A04294AFDB22CF69DC94F693BE5FB6A750F191164F510CF2B2CB72AC41AB51
    Function 009BDDFA Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009BDE3D
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009BDE63
    • SysAllocString.OLEAUT32(00000000), ref: 009BDE66
    • SysAllocString.OLEAUT32(?), ref: 009BDE84
    • SysFreeString.OLEAUT32(?), ref: 009BDE8D
    • StringFromGUID2.OLE32(?,?,00000028), ref: 009BDEB2
    • SysAllocString.OLEAUT32(?), ref: 009BDEC0
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
    • String ID:
    • API String ID: 3761583154-0
    • Opcode ID: e1a702488a8f299fdd406b6e3be5bf52675a1b699694dfa958c7da3b7ee8ba77
    • Instruction ID: 6630e1945381f1e562c9bbf766b598617d8c26db31fc9fb2a07b8d85bb87ad8c
    • Opcode Fuzzy Hash: e1a702488a8f299fdd406b6e3be5bf52675a1b699694dfa958c7da3b7ee8ba77
    • Instruction Fuzzy Hash: AC21B032605219BF9B10EFA8DD88CFB73ACEB19370B048526FA04DF2A0E670DD418760
    Function 009D6289 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009D7EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009D7ECB
    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009D62DC
    • WSAGetLastError.WSOCK32(00000000), ref: 009D62EB
    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009D6324
    • connect.WSOCK32(00000000,?,00000010), ref: 009D632D
    • WSAGetLastError.WSOCK32 ref: 009D6337
    • closesocket.WSOCK32(00000000), ref: 009D6360
    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009D6379
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
    • String ID:
    • API String ID: 910771015-0
    • Opcode ID: 10b2fc00f308bdd48698b5f673ffa2ffed27f3a0b3440acfd44aa74177ff95f1
    • Instruction ID: 9de1d220a7fb231707e3d850252a169547d9c17b48a5fd1dafcfeb9cff5bc243
    • Opcode Fuzzy Hash: 10b2fc00f308bdd48698b5f673ffa2ffed27f3a0b3440acfd44aa74177ff95f1
    • Instruction Fuzzy Hash: 6231C431640118AFDB109F64CC95BBEBBBDEB85760F04802AF946DB391DB74AC049BA1
    Function 009BF98F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: __wcsnicmp
    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
    • API String ID: 1038674560-2734436370
    • Opcode ID: 13c4747cf6b5e4d287049da7ee48948cf64606ac1040038e9554f5850c4f4093
    • Instruction ID: 20e8448da221e7bd62edf9675f09ee67d15362d0c45538ef3a1c1525b1dca337
    • Opcode Fuzzy Hash: 13c4747cf6b5e4d287049da7ee48948cf64606ac1040038e9554f5850c4f4093
    • Instruction Fuzzy Hash: BC214932108611BAD224BB259D22FF7B39CAFD1734F608436F98A87182FB959D42C391
    Function 009BDED3 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009BDF18
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009BDF3E
    • SysAllocString.OLEAUT32(00000000), ref: 009BDF41
    • SysAllocString.OLEAUT32 ref: 009BDF62
    • SysFreeString.OLEAUT32 ref: 009BDF6B
    • StringFromGUID2.OLE32(?,?,00000028), ref: 009BDF85
    • SysAllocString.OLEAUT32(?), ref: 009BDF93
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
    • String ID:
    • API String ID: 3761583154-0
    • Opcode ID: f0b712da5680c17ad9fdbfc7e364c20061549075b1cf41a829a5d136d5f0a744
    • Instruction ID: 4ed1b6d91241ea2d73bbebea4b6aac5c5b29c14f0da4fca719ada765e3d1a08f
    • Opcode Fuzzy Hash: f0b712da5680c17ad9fdbfc7e364c20061549075b1cf41a829a5d136d5f0a744
    • Instruction Fuzzy Hash: 1D217131619104AFDB10AFA8DDC8DFB77ECEB49370B108126F915CB2A0E674DD419764
    Function 009E75FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00961D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00961D73
      • Part of subcall function 00961D35: GetStockObject.GDI32(00000011), ref: 00961D87
      • Part of subcall function 00961D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00961D91
    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009E7664
    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009E7671
    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009E767C
    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009E768B
    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009E7697
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$CreateObjectStockWindow
    • String ID: Msctls_Progress32
    • API String ID: 1025951953-3636473452
    • Opcode ID: f16aef709ab71988dd1d6bcc6e64495e41bfc21ef64aae6a721945234299acf2
    • Instruction ID: c94d7d51835469ecb9bab902b35f434caaab491360bf036c964c3a8452b28a82
    • Opcode Fuzzy Hash: f16aef709ab71988dd1d6bcc6e64495e41bfc21ef64aae6a721945234299acf2
    • Instruction Fuzzy Hash: 9111C4B215421DBFEF119FA5CC85EEBBF6DEF08768F014115BA04A6090C772AC21DBA0
    Function 00989C66 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
    Download Yara Rule
    APIs
    • __init_pointers.LIBCMT ref: 00989C66
      • Part of subcall function 00983307: EncodePointer.KERNEL32(00000000), ref: 0098330A
      • Part of subcall function 00983307: __initp_misc_winsig.LIBCMT ref: 00983325
      • Part of subcall function 00983307: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0098A020
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0098A034
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0098A047
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0098A05A
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0098A06D
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0098A080
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0098A093
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0098A0A6
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0098A0B9
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0098A0CC
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0098A0DF
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0098A0F2
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0098A105
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0098A118
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0098A12B
      • Part of subcall function 00983307: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0098A13E
    • __mtinitlocks.LIBCMT ref: 00989C6B
    • __mtterm.LIBCMT ref: 00989C74
      • Part of subcall function 00989CDC: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00989C79,00987E4D,00A1A0B8,00000014), ref: 00989DD6
      • Part of subcall function 00989CDC: _free.LIBCMT ref: 00989DDD
      • Part of subcall function 00989CDC: DeleteCriticalSection.KERNEL32(00A1EC00,?,?,00989C79,00987E4D,00A1A0B8,00000014), ref: 00989DFF
    • __calloc_crt.LIBCMT ref: 00989C99
    • __initptd.LIBCMT ref: 00989CBB
    • GetCurrentThreadId.KERNEL32 ref: 00989CC2
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
    • String ID:
    • API String ID: 3567560977-0
    • Opcode ID: 509ed6154fa76237fd6de898e12bfe4834c479f5a94bed17f470cb3fd1f07948
    • Instruction ID: 550adb8e9661b53ff16dc6b0790e69ab7a8f19eaecfed2d200771921a849b5d4
    • Opcode Fuzzy Hash: 509ed6154fa76237fd6de898e12bfe4834c479f5a94bed17f470cb3fd1f07948
    • Instruction Fuzzy Hash: 93F0BB3255D7112DE634BB787C077BB26C8DF81774B184619F499D93D2FF1288414350
    Function 00984109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,009841D2,?), ref: 00984123
    • GetProcAddress.KERNEL32(00000000), ref: 0098412A
    • EncodePointer.KERNEL32(00000000), ref: 00984136
    • DecodePointer.KERNEL32(00000001,009841D2,?), ref: 00984153
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
    • String ID: RoInitialize$combase.dll
    • API String ID: 3489934621-340411864
    • Opcode ID: efb5d9f33add51fd05c3c4a1d3db1225fef8e5d7e9cbe9f53c8eab22e39ff272
    • Instruction ID: a71178e36b6f67ab6d9511ea71bff10d17df822ba4ddb562f5529eb54d3ad9e5
    • Opcode Fuzzy Hash: efb5d9f33add51fd05c3c4a1d3db1225fef8e5d7e9cbe9f53c8eab22e39ff272
    • Instruction Fuzzy Hash: F4E0D8317A4349AFDF20AFB4EC4CB243594BB53B06F008534B511D91E0C7B885429F00
    Function 009841DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009840F8), ref: 009841F8
    • GetProcAddress.KERNEL32(00000000), ref: 009841FF
    • EncodePointer.KERNEL32(00000000), ref: 0098420A
    • DecodePointer.KERNEL32(009840F8), ref: 00984225
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
    • String ID: RoUninitialize$combase.dll
    • API String ID: 3489934621-2819208100
    • Opcode ID: d43c1e3544d4567edd97b6e227efb61baf9a7cd1a1f3fdc420e5c47907cbc192
    • Instruction ID: b86b4f244ae0a7e24f1716e6e72459d90d8818dba678401b8aaf31383d306bee
    • Opcode Fuzzy Hash: d43c1e3544d4567edd97b6e227efb61baf9a7cd1a1f3fdc420e5c47907cbc192
    • Instruction Fuzzy Hash: BEE04F716A93019BDF20DBA4EC4DB2036A4BF05746F104135F120D91E0CBBA4A12EB00
    Function 00961DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,?), ref: 00961DDC
    • GetWindowRect.USER32(?,?), ref: 00961E1D
    • ScreenToClient.USER32(?,?), ref: 00961E45
    • GetClientRect.USER32(?,?), ref: 00961F74
    • GetWindowRect.USER32(?,?), ref: 00961F8D
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Rect$Client$Window$Screen
    • String ID:
    • API String ID: 1296646539-0
    • Opcode ID: e1b6333f6b74fa41e33be454802c82363ba46a00f117ede6e510ed29120ab137
    • Instruction ID: ee9abbec7771fe5f8029faba4c14d680a60d96ccfe3e4f59454d89991ac0f315
    • Opcode Fuzzy Hash: e1b6333f6b74fa41e33be454802c82363ba46a00f117ede6e510ed29120ab137
    • Instruction Fuzzy Hash: C1B16D7990024ADBDF10CFA8C5807EEB7B5FF08750F188529EC99DB250EB35AA50DB54
    Function 009C6561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _memmove$__itow__swprintf
    • String ID:
    • API String ID: 3253778849-0
    • Opcode ID: 0d53ac52d32a040c35c876c25b4cd49e6839e4c7a6ff52f44ce98b7d5a4784d6
    • Instruction ID: 1e4afb881adc1ba83a0287ee72a3c1076f26bb8984608929fe803d3eac985fa2
    • Opcode Fuzzy Hash: 0d53ac52d32a040c35c876c25b4cd49e6839e4c7a6ff52f44ce98b7d5a4784d6
    • Instruction Fuzzy Hash: 1D619D3090065A9BDF11EF64CC82FFE77A8AF85308F04895DF9595B292DB34AD05CB92
    Function 009E026F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
      • Part of subcall function 009E0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DFE38,?,?), ref: 009E0EBC
    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E0348
    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009E0388
    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 009E03AB
    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009E03D4
    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 009E0417
    • RegCloseKey.ADVAPI32(00000000), ref: 009E0424
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
    • String ID:
    • API String ID: 4046560759-0
    • Opcode ID: f5dc8935aacc5487a590b6a9d0794d4e715248b682544794370b9d9bebfa595d
    • Instruction ID: 87fcae1acfe185139655fd4cd7fb2e20fd3c449eb9b918582d1acd5e68b3cdaa
    • Opcode Fuzzy Hash: f5dc8935aacc5487a590b6a9d0794d4e715248b682544794370b9d9bebfa595d
    • Instruction Fuzzy Hash: 92515731208240AFC715EB65C895E6ABBE8FFC9314F04891DF5858B2A2EB71ED44CB52
    Function 009E5802 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
    Download Yara Rule
    APIs
    • GetMenu.USER32(?), ref: 009E5864
    • GetMenuItemCount.USER32(00000000), ref: 009E589B
    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009E58C3
    • GetMenuItemID.USER32(?,?), ref: 009E5932
    • GetSubMenu.USER32(?,?), ref: 009E5940
    • PostMessageW.USER32(?,00000111,?,00000000), ref: 009E5991
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Menu$Item$CountMessagePostString
    • String ID:
    • API String ID: 650687236-0
    • Opcode ID: c1d7c1c22529f476ec7344d921dbb5fa26904c7f58310360876b3d25ffd3af6e
    • Instruction ID: b9465e4f365b929dc3a982a972dbdf7c1eae376d435cd1efdb01b6fb927a7a7d
    • Opcode Fuzzy Hash: c1d7c1c22529f476ec7344d921dbb5fa26904c7f58310360876b3d25ffd3af6e
    • Instruction Fuzzy Hash: 6551AF31A00615EFCF11EFA5C845AAEB7B4EF88324F158059E905BB351CB70AE41CB91
    Function 009BF1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON
    Download Yara Rule
    APIs
    • VariantInit.OLEAUT32(?), ref: 009BF218
    • VariantClear.OLEAUT32(00000013), ref: 009BF28A
    • VariantClear.OLEAUT32(00000000), ref: 009BF2E5
    • _memmove.LIBCMT ref: 009BF30F
    • VariantClear.OLEAUT32(?), ref: 009BF35C
    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009BF38A
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Variant$Clear$ChangeInitType_memmove
    • String ID:
    • API String ID: 1101466143-0
    • Opcode ID: c61ea85b880a6ab5eabd91e7499d66367256cafb7d1598049ba84a992f7e3b28
    • Instruction ID: 51c055b8c5e4d2f4e12bd74b28acc167e08031a894abe44db995e4e139c0d68d
    • Opcode Fuzzy Hash: c61ea85b880a6ab5eabd91e7499d66367256cafb7d1598049ba84a992f7e3b28
    • Instruction Fuzzy Hash: E4514AB5A00209EFCB14CF58C894AAAB7F8FF4C354B15856AE959DB350E334E911CFA0
    Function 009C2502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 009C2550
    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C259B
    • IsMenu.USER32(00000000), ref: 009C25BB
    • CreatePopupMenu.USER32 ref: 009C25EF
    • GetMenuItemCount.USER32(000000FF), ref: 009C264D
    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 009C267E
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
    • String ID:
    • API String ID: 3311875123-0
    • Opcode ID: bf617f278d6ebc0592c0da524da7158c51d4bdb1b81302ddd5272c29846a3e80
    • Instruction ID: 5497d6e22afce580641b660f1e7ac1561a0d2528ae7ecb8a2c4b65cee44473d2
    • Opcode Fuzzy Hash: bf617f278d6ebc0592c0da524da7158c51d4bdb1b81302ddd5272c29846a3e80
    • Instruction Fuzzy Hash: F9519E70E04249DBCF20DF68DA98FAEBBF8AF54314F14456EF8119B290DB709904CB62
    Function 00961765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623
    • BeginPaint.USER32(?,?,?,?,?,?), ref: 0096179A
    • GetWindowRect.USER32(?,?), ref: 009617FE
    • ScreenToClient.USER32(?,?), ref: 0096181B
    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0096182C
    • EndPaint.USER32(?,?), ref: 00961876
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: PaintWindow$BeginClientLongRectScreenViewport
    • String ID:
    • API String ID: 1827037458-0
    • Opcode ID: 4d9c8b21a1dfe696caab96bdac7f8db80c223ee60e0d25ccdf42c5819320adf2
    • Instruction ID: 9c56f54d59e5d3f759b6457f90d34ba24fb1e588a7d10c7443eab2ed437bc28f
    • Opcode Fuzzy Hash: 4d9c8b21a1dfe696caab96bdac7f8db80c223ee60e0d25ccdf42c5819320adf2
    • Instruction Fuzzy Hash: 5941B2305043449FDB10DF29DC84FBA7BE8FB89724F080629FA958B1A1C7749C46EB61
    Function 009EB6D2 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
    Download Yara Rule
    APIs
    • ShowWindow.USER32(00A257B0,00000000,00A55658,?,?,00A257B0,?,009EB5DC,?,?), ref: 009EB746
    • EnableWindow.USER32(?,00000000), ref: 009EB76A
    • ShowWindow.USER32(00A257B0,00000000,00A55658,?,?,00A257B0,?,009EB5DC,?,?), ref: 009EB7CA
    • ShowWindow.USER32(?,00000004,?,009EB5DC,?,?), ref: 009EB7DC
    • EnableWindow.USER32(?,00000001), ref: 009EB800
    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 009EB823
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$Show$Enable$MessageSend
    • String ID:
    • API String ID: 642888154-0
    • Opcode ID: f5682e69445755aba82d3d9d7b09dc14f476714e26ad0b183db77c7454667255
    • Instruction ID: 61c8b1db6ac77c52b14233bb85bd8e8fe3e675a24047d5f6bde29624c9f56ddf
    • Opcode Fuzzy Hash: f5682e69445755aba82d3d9d7b09dc14f476714e26ad0b183db77c7454667255
    • Instruction Fuzzy Hash: CA41AD34600195EFDB23CF25C4C9B967BE8FB45301F1881B9E9488FAA2C732AC45DB90
    Function 009D71B3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
    Download Yara Rule
    APIs
    • GetForegroundWindow.USER32(?,?,?,?,?,?,009D4F57,?,?,00000000,00000001), ref: 009D71C1
      • Part of subcall function 009D3AB6: GetWindowRect.USER32(?,?), ref: 009D3AC9
    • GetDesktopWindow.USER32 ref: 009D71EB
    • GetWindowRect.USER32(00000000), ref: 009D71F2
    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 009D7224
      • Part of subcall function 009C52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C5363
    • GetCursorPos.USER32(?), ref: 009D7250
    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009D72AE
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
    • String ID:
    • API String ID: 4137160315-0
    • Opcode ID: 5cfd7211206eabe46f304617c9f9305c185337961d54ac8b756ac3b0f13fbd12
    • Instruction ID: 33076310d98e5a0e9d5f2a34e588607fe58275eb9c7d6064bb1a698330b197d6
    • Opcode Fuzzy Hash: 5cfd7211206eabe46f304617c9f9305c185337961d54ac8b756ac3b0f13fbd12
    • Instruction Fuzzy Hash: 9E31F032509345ABC720DF54C849F9BB7E9FF98314F00492AF5949B291DB30EA08CB92
    Function 009B8B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009B83D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009B83E8
      • Part of subcall function 009B83D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009B83F2
      • Part of subcall function 009B83D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009B8401
      • Part of subcall function 009B83D1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009B8408
      • Part of subcall function 009B83D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009B841E
    • GetLengthSid.ADVAPI32(?,00000000,009B8757), ref: 009B8B8C
    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 009B8B98
    • HeapAlloc.KERNEL32(00000000), ref: 009B8B9F
    • CopySid.ADVAPI32(00000000,00000000,?), ref: 009B8BB8
    • GetProcessHeap.KERNEL32(00000000,00000000,009B8757), ref: 009B8BCC
    • HeapFree.KERNEL32(00000000), ref: 009B8BD3
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
    • String ID:
    • API String ID: 3008561057-0
    • Opcode ID: 4b52e18932d9034fd80990f3bfbc61ec7442014762b7bd8da39f5768dc1a4829
    • Instruction ID: 628862b466558f7a4bb151340cbd056130af6018f6dfc904b745a035f43ad096
    • Opcode Fuzzy Hash: 4b52e18932d9034fd80990f3bfbc61ec7442014762b7bd8da39f5768dc1a4829
    • Instruction Fuzzy Hash: 8F11BEB1514219FFDB549FA4CD59FEF7BACEB49325F108029E8459B250CB329E00DB60
    Function 009B88D8 Relevance: 9.1, APIs: 6, Instructions: 61processCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009B890A
    • OpenProcessToken.ADVAPI32(00000000), ref: 009B8911
    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009B8920
    • CloseHandle.KERNEL32(00000004), ref: 009B892B
    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009B895A
    • DestroyEnvironmentBlock.USERENV(00000000), ref: 009B896E
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
    • String ID:
    • API String ID: 1413079979-0
    • Opcode ID: e81fea50f606e14dc34f0c2390709a2aa4edbe44d802307c504bcb8738a3383f
    • Instruction ID: 91a4fa1bc6723e5ebee972fd6988afaf8ccdf7a37883c7b728d363f02f570ed7
    • Opcode Fuzzy Hash: e81fea50f606e14dc34f0c2390709a2aa4edbe44d802307c504bcb8738a3383f
    • Instruction Fuzzy Hash: C4116772505249AFDF01CFA4ED88AEE7BACEB08354F044069FA04A6160C7728E20EB21
    Function 009BBA52 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 009BBA77
    • GetDeviceCaps.GDI32(00000000,00000058), ref: 009BBA88
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009BBA8F
    • ReleaseDC.USER32(00000000,00000000), ref: 009BBA97
    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 009BBAAE
    • MulDiv.KERNEL32(000009EC,?,?), ref: 009BBAC0
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CapsDevice$Release
    • String ID:
    • API String ID: 1035833867-0
    • Opcode ID: 3221894295ede9640c43fc367daa35db838e8df5bf5a2c70495b86e90e76a16f
    • Instruction ID: dbe074c4e2cedb8cab74fa345473c46f416de4225b90f65d16a3548050b98286
    • Opcode Fuzzy Hash: 3221894295ede9640c43fc367daa35db838e8df5bf5a2c70495b86e90e76a16f
    • Instruction Fuzzy Hash: 4A018475E04358BBEF109BE59D45B5EBFB8EB48721F004066FA04AB291D6709D00CF90
    Function 009802E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
    Download Yara Rule
    APIs
    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00980313
    • MapVirtualKeyW.USER32(00000010,00000000), ref: 0098031B
    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00980326
    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00980331
    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00980339
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00980341
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Virtual
    • String ID:
    • API String ID: 4278518827-0
    • Opcode ID: 1083af9b1c8a085c1a72966f008ff145fa48365030788d43d8f3a089c36fb9fd
    • Instruction ID: 19e373fa8d6b581dbb484b1c3b89e7bd92cf471ae6b83a90461989590ba2832d
    • Opcode Fuzzy Hash: 1083af9b1c8a085c1a72966f008ff145fa48365030788d43d8f3a089c36fb9fd
    • Instruction Fuzzy Hash: 75016CB09017597DE3008F5A8C85B52FFA8FF19754F00411BA15C4B941C7F5AC64CBE5
    Function 009C5490 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
    Download Yara Rule
    APIs
    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009C54A0
    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009C54B6
    • GetWindowThreadProcessId.USER32(?,?), ref: 009C54C5
    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C54D4
    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C54DE
    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C54E5
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
    • String ID:
    • API String ID: 839392675-0
    • Opcode ID: 6bd225658dcfe2a0e487ee5533d29f979bd81c41788cc33b81a178525a3f2222
    • Instruction ID: 222732be2ed7ef50848b069fffe1a1727615e33ad37642955c2aeb80824a0a20
    • Opcode Fuzzy Hash: 6bd225658dcfe2a0e487ee5533d29f979bd81c41788cc33b81a178525a3f2222
    • Instruction Fuzzy Hash: 84F0903225819CBBE7215BA2DC4DEEF7B7CEFCAB11F00016AFA00D50A0D7A01E0196B5
    Function 009C72D9 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • InterlockedExchange.KERNEL32(?,?), ref: 009C72EC
    • EnterCriticalSection.KERNEL32(?,?,00971044,?,?), ref: 009C72FD
    • TerminateThread.KERNEL32(00000000,000001F6,?,00971044,?,?), ref: 009C730A
    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00971044,?,?), ref: 009C7317
      • Part of subcall function 009C6CDE: CloseHandle.KERNEL32(00000000,?,009C7324,?,00971044,?,?), ref: 009C6CE8
    • InterlockedExchange.KERNEL32(?,000001F6), ref: 009C732A
    • LeaveCriticalSection.KERNEL32(?,?,00971044,?,?), ref: 009C7331
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
    • String ID:
    • API String ID: 3495660284-0
    • Opcode ID: 75fc37f3d77fcd79c4163417b0e354804d088e2e57fcf2ec23468c99df75adb9
    • Instruction ID: 8129a50a57da5e3dedea505b68ecf46b345e7948881821193968bbf5bb792529
    • Opcode Fuzzy Hash: 75fc37f3d77fcd79c4163417b0e354804d088e2e57fcf2ec23468c99df75adb9
    • Instruction Fuzzy Hash: 58F0BE36858652EBE7111B64EDCCEDA772AEF48302B010136F602981A0CB715C01EBA0
    Function 009B8C54 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 009B8C5F
    • UnloadUserProfile.USERENV(?,?), ref: 009B8C6B
    • CloseHandle.KERNEL32(?), ref: 009B8C74
    • CloseHandle.KERNEL32(?), ref: 009B8C7C
    • GetProcessHeap.KERNEL32(00000000,?), ref: 009B8C85
    • HeapFree.KERNEL32(00000000), ref: 009B8C8C
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
    • String ID:
    • API String ID: 146765662-0
    • Opcode ID: 21d146d8fead2fa7ff34a6e2b93bb70f8bd86ecf8a64f89718cbe668afdf905c
    • Instruction ID: 4f493f989d6f2853d277519f81224fddb567eda3061782d177cb7af2a4707450
    • Opcode Fuzzy Hash: 21d146d8fead2fa7ff34a6e2b93bb70f8bd86ecf8a64f89718cbe668afdf905c
    • Instruction Fuzzy Hash: AEE0C236018445FBDA011FE1EC5C90ABB69FB89362B108232F219890B0CB329860EB50
    Function 009D8702 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
    Download Yara Rule
    APIs
    • VariantInit.OLEAUT32(?), ref: 009D8728
    • CharUpperBuffW.USER32(?,?), ref: 009D8837
    • VariantClear.OLEAUT32(?), ref: 009D89AF
      • Part of subcall function 009C760B: VariantInit.OLEAUT32(00000000), ref: 009C764B
      • Part of subcall function 009C760B: VariantCopy.OLEAUT32(00000000,?), ref: 009C7654
      • Part of subcall function 009C760B: VariantClear.OLEAUT32(00000000), ref: 009C7660
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Variant$ClearInit$BuffCharCopyUpper
    • String ID: AUTOIT.ERROR$Incorrect Parameter format
    • API String ID: 4237274167-1221869570
    • Opcode ID: 9fdc9bd82b5682bad41958c2f8d770410cab1f732b407e78011e73fc3fca4950
    • Instruction ID: 45f77e05e3dbade3c9564dc81f7a610830721ec23943eddca88dbf0f5837c9fe
    • Opcode Fuzzy Hash: 9fdc9bd82b5682bad41958c2f8d770410cab1f732b407e78011e73fc3fca4950
    • Instruction Fuzzy Hash: 64916E756083019FC710DF24C494A6BBBE8EFC9754F14896EF89A8B362DB31E905CB52
    Function 009C2D8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0097FE06: _wcscpy.LIBCMT ref: 0097FE29
    • _memset.LIBCMT ref: 009C2E7F
    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009C2EAE
    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009C2F61
    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009C2F8F
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ItemMenu$Info$Default_memset_wcscpy
    • String ID: 0
    • API String ID: 4152858687-4108050209
    • Opcode ID: 2b9d5496ad01264ead3769e9c004741ec4b4a675bfce41be4a597182abe59c98
    • Instruction ID: 220c5ed489981df0a8b8df6975204e3efa00b378ca9f980f80e44c7b87a435e4
    • Opcode Fuzzy Hash: 2b9d5496ad01264ead3769e9c004741ec4b4a675bfce41be4a597182abe59c98
    • Instruction Fuzzy Hash: 5A51BD71A083059ED724AF28D845F6BBBE8AB89310F044A2DF895E32A1DB70CD048793
    Function 009BD87B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
    Download Yara Rule
    APIs
    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009BD8E3
    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009BD919
    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009BD92A
    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009BD9AC
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ErrorMode$AddressCreateInstanceProc
    • String ID: DllGetClassObject
    • API String ID: 753597075-1075368562
    • Opcode ID: 732bfd572ffc3aa5c66a70851fcb0e57be7fbc08b35b18bc1a5d9dd3080930b7
    • Instruction ID: bc4bdbcfc6a79269b4830211a02c06472cd2a24e7aae953d0244fd5cabaf4280
    • Opcode Fuzzy Hash: 732bfd572ffc3aa5c66a70851fcb0e57be7fbc08b35b18bc1a5d9dd3080930b7
    • Instruction Fuzzy Hash: 3041A171602608EFDB04CF54CAC4BDA7BB9EF85324B1180A9ED059F245E7B5DE40CBA0
    Function 009C2A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 009C2AB8
    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009C2AD4
    • DeleteMenu.USER32(?,00000007,00000000), ref: 009C2B1A
    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A25890,00000000), ref: 009C2B63
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Menu$Delete$InfoItem_memset
    • String ID: 0
    • API String ID: 1173514356-4108050209
    • Opcode ID: 45df426f3b70183cf47b14a3219d7e9f5441b7e16318f342b24afe147b907b93
    • Instruction ID: c470e54efeab93b6c5cff1d1ded47eeb7c8b190e19defb4269532ab87cb62109
    • Opcode Fuzzy Hash: 45df426f3b70183cf47b14a3219d7e9f5441b7e16318f342b24afe147b907b93
    • Instruction Fuzzy Hash: D7418070A043429FD720DF24D885F2ABBE9AF86320F14466EF96697291D770ED04CB63
    Function 009DD8B9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
    Download Yara Rule
    APIs
    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009DD8D9
      • Part of subcall function 009679AB: _memmove.LIBCMT ref: 009679F9
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: BuffCharLower_memmove
    • String ID: cdecl$none$stdcall$winapi
    • API String ID: 3425801089-567219261
    • Opcode ID: 0dd6e14d353f8e5e8cd8f8d35c1f38c7a23807df35d32840dbf07774e04d8261
    • Instruction ID: 332398875bd5f5c13ca71eedc08e989140d5b5fc2f50828b494ce3b350290c29
    • Opcode Fuzzy Hash: 0dd6e14d353f8e5e8cd8f8d35c1f38c7a23807df35d32840dbf07774e04d8261
    • Instruction Fuzzy Hash: 84319470505615AFCF10EF94C8A1AEEB3B9FF95714B10866AE8A5973D1CB31AD05CB80
    Function 009B9152 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
      • Part of subcall function 009BAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 009BAEC7
    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009B91D6
    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009B91E9
    • SendMessageW.USER32(?,00000189,?,00000000), ref: 009B9219
      • Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$_memmove$ClassName
    • String ID: ComboBox$ListBox
    • API String ID: 365058703-1403004172
    • Opcode ID: a6f3b06d9d046541ad28f2b81a54ee5fa69688b062417025849c0837c857c602
    • Instruction ID: 7e4c0ddd9e6ce43d0a2f60c61ce63057f8ae2d1a8b6e98352d4ec1ca8ca39c15
    • Opcode Fuzzy Hash: a6f3b06d9d046541ad28f2b81a54ee5fa69688b062417025849c0837c857c602
    • Instruction Fuzzy Hash: 432135319041087FDB14ABB4CD99EFEB778DF85330F10462AFA25972E1DB384D0A9620
    Function 009D1943 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
    Download Yara Rule
    APIs
    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009D1962
    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009D1988
    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009D19B8
    • InternetCloseHandle.WININET(00000000), ref: 009D19FF
      • Part of subcall function 009D2599: GetLastError.KERNEL32(?,?,009D192D,00000000,00000000,00000001), ref: 009D25AE
      • Part of subcall function 009D2599: SetEvent.KERNEL32(?,?,009D192D,00000000,00000000,00000001), ref: 009D25C3
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
    • String ID:
    • API String ID: 3113390036-3916222277
    • Opcode ID: e322782943cb0e6beac0c68a22b3fa94b4298a9ef0dd881c693ac80c61e1a28e
    • Instruction ID: 1e62ddeb41b036cec921594ed1399d44840bddea35e15ca4d5dc483710df8211
    • Opcode Fuzzy Hash: e322782943cb0e6beac0c68a22b3fa94b4298a9ef0dd881c693ac80c61e1a28e
    • Instruction Fuzzy Hash: 86219FB2684208BFEB119F60ECA5FBF77ACEB88744F10811BF40596340EB359E0597A1
    Function 009E6419 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00961D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00961D73
      • Part of subcall function 00961D35: GetStockObject.GDI32(00000011), ref: 00961D87
      • Part of subcall function 00961D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00961D91
    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009E6493
    • LoadLibraryW.KERNEL32(?), ref: 009E649A
    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009E64AF
    • DestroyWindow.USER32(?), ref: 009E64B7
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
    • String ID: SysAnimate32
    • API String ID: 4146253029-1011021900
    • Opcode ID: c537e6266e619843ce2e48ebe88ee47307536431e78641479209ddf4064e3efb
    • Instruction ID: 9141a37f324045cf7fc3451c43e995ee8f502249d81f8c077482bac4408f38a7
    • Opcode Fuzzy Hash: c537e6266e619843ce2e48ebe88ee47307536431e78641479209ddf4064e3efb
    • Instruction Fuzzy Hash: 3821D471600245AFEF124F65DC90EBB37ADEF693A4F108629F910961E0E731CC419760
    Function 009C6E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(0000000C), ref: 009C6E65
    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C6E98
    • GetStdHandle.KERNEL32(0000000C), ref: 009C6EAA
    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 009C6EE4
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CreateHandle$FilePipe
    • String ID: nul
    • API String ID: 4209266947-2873401336
    • Opcode ID: ea27719af4d592083e289108a1dce9f1534d39471b905d7f09d96bcd55e747c2
    • Instruction ID: 5b1d909c8f237fd9616e7e86608484a42ec4ecae6e50cf580a837e0801b6d6b4
    • Opcode Fuzzy Hash: ea27719af4d592083e289108a1dce9f1534d39471b905d7f09d96bcd55e747c2
    • Instruction Fuzzy Hash: F0217778900205ABDB209F29DC55F9A77F8AF84720F204A1EFDA1D72D0D7709C61CB52
    Function 009C6F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(000000F6), ref: 009C6F32
    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C6F64
    • GetStdHandle.KERNEL32(000000F6), ref: 009C6F75
    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009C6FAF
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CreateHandle$FilePipe
    • String ID: nul
    • API String ID: 4209266947-2873401336
    • Opcode ID: 92172d6ba7fb249b364f6bce466abc7697683f15cd061d6ba5064a80d140b4ab
    • Instruction ID: eb97382e3651d575f64f4454438dd60fed22ca7c100263fab8dfa924ca76d96c
    • Opcode Fuzzy Hash: 92172d6ba7fb249b364f6bce466abc7697683f15cd061d6ba5064a80d140b4ab
    • Instruction Fuzzy Hash: 41218372A04305ABDB209F69AC44FA977E8AF85720F204A5DFDB1D72D0D7709851CB62
    Function 009CACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00000001), ref: 009CACDE
    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009CAD32
    • __swprintf.LIBCMT ref: 009CAD4B
    • SetErrorMode.KERNEL32(00000000,00000001,00000000,009EF910), ref: 009CAD89
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ErrorMode$InformationVolume__swprintf
    • String ID: %lu
    • API String ID: 3164766367-685833217
    • Opcode ID: 0f647545e0406663f538fa0b9108a17ded9e21d088a5dac301aee10b45bda100
    • Instruction ID: 8f741de100b5e29cb03399a1245e29077b4b7a11fdb39f19bdf5acf975d20566
    • Opcode Fuzzy Hash: 0f647545e0406663f538fa0b9108a17ded9e21d088a5dac301aee10b45bda100
    • Instruction Fuzzy Hash: B4215334A00109AFCB10EF65C985EEE77B8EF89714B008469F509DB351DB31EE41DB61
    Function 009BA30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66
      • Part of subcall function 009BA15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 009BA179
      • Part of subcall function 009BA15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 009BA18C
      • Part of subcall function 009BA15C: GetCurrentThreadId.KERNEL32 ref: 009BA193
      • Part of subcall function 009BA15C: AttachThreadInput.USER32(00000000), ref: 009BA19A
    • GetFocus.USER32 ref: 009BA334
      • Part of subcall function 009BA1A5: GetParent.USER32(?), ref: 009BA1B3
    • GetClassNameW.USER32(?,?,00000100), ref: 009BA37D
    • EnumChildWindows.USER32(?,009BA3F5), ref: 009BA3A5
    • __swprintf.LIBCMT ref: 009BA3BF
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
    • String ID: %s%d
    • API String ID: 1941087503-1110647743
    • Opcode ID: ea58c0ebbf45d32c24ddffacaf0bf7ba7def60fa40cd0f2ac298e3fab397fcca
    • Instruction ID: 22b98951dbd3bf83b1cda8463d41e93295ada2bd3ec242cd6368883fa836f158
    • Opcode Fuzzy Hash: ea58c0ebbf45d32c24ddffacaf0bf7ba7def60fa40cd0f2ac298e3fab397fcca
    • Instruction Fuzzy Hash: 6D11B1712042097BDF11BFA4DD86FEA77BCAF84720F004075FA18AA182CA709A459B71
    Function 009C1E38 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • CharUpperBuffW.USER32(?,?), ref: 009C1E69
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: BuffCharUpper
    • String ID: APPEND$EXISTS$KEYS$REMOVE
    • API String ID: 3964851224-769500911
    • Opcode ID: 8997a2b9a2fa0619df833a6de54f8acce959ab357a1c76d39127c334213c687a
    • Instruction ID: bbf16c624ed7dab3480d45e448cdb5339e8485c8f55515c0f47066b67a7f28fd
    • Opcode Fuzzy Hash: 8997a2b9a2fa0619df833a6de54f8acce959ab357a1c76d39127c334213c687a
    • Instruction Fuzzy Hash: EE116130D101088FCF40EF94D891AEDB7B5FF66304B108669DC5497792EB325D4ACB55
    Function 009DEC69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
    Download Yara Rule
    APIs
    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009DED1B
    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 009DED4B
    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 009DEE7E
    • CloseHandle.KERNEL32(?), ref: 009DEEFF
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Process$CloseCountersHandleInfoMemoryOpen
    • String ID:
    • API String ID: 2364364464-0
    • Opcode ID: e6a903a9c405e2cad51b9567fab49ff0ee4aff6de83868b01b3c81df311cd891
    • Instruction ID: 40e2d2bea7431f2276c350c2eabba92cca7d5efd56343639c37502714f862f9a
    • Opcode Fuzzy Hash: e6a903a9c405e2cad51b9567fab49ff0ee4aff6de83868b01b3c81df311cd891
    • Instruction Fuzzy Hash: 478154716443109FD720EF28C996F2AB7E9AF84710F14891EF59ADB3D2DB71AC408B51
    Function 0098558D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
    • String ID:
    • API String ID: 1559183368-0
    • Opcode ID: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
    • Instruction ID: c666f3e110c2cd35e814ac4064d078f70a8b78d40e46c2551beeb4a69236a80e
    • Opcode Fuzzy Hash: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
    • Instruction Fuzzy Hash: 8651A430A00B05DBDF24AF69C88466E77BAEF40320F65872DF835963D0E7759E588B50
    Function 009E00C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
      • Part of subcall function 009E0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009DFE38,?,?), ref: 009E0EBC
    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E0188
    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009E01C7
    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 009E020E
    • RegCloseKey.ADVAPI32(?,?), ref: 009E023A
    • RegCloseKey.ADVAPI32(00000000), ref: 009E0247
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
    • String ID:
    • API String ID: 3440857362-0
    • Opcode ID: 78019531e34329feb97b169d8bb3a69e36e848f578e0af350cd1da0eb77ae8ae
    • Instruction ID: 8edac98be05f87af53d3b14d221b075b5884c1a0fb8c9d964a2e1b7884250d1e
    • Opcode Fuzzy Hash: 78019531e34329feb97b169d8bb3a69e36e848f578e0af350cd1da0eb77ae8ae
    • Instruction Fuzzy Hash: D3514831208244AFD705EFA5C895F6AB7E8FFC8314F04892DB5958B2A2DB74ED44CB52
    Function 009DD9DC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
      • Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C
    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009DDA3B
    • GetProcAddress.KERNEL32(00000000,?), ref: 009DDABE
    • GetProcAddress.KERNEL32(00000000,00000000), ref: 009DDADA
    • GetProcAddress.KERNEL32(00000000,?), ref: 009DDB1B
    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 009DDB35
      • Part of subcall function 00965B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009C793F,?,?,00000000), ref: 00965B8C
      • Part of subcall function 00965B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009C793F,?,?,00000000,?,?), ref: 00965BB0
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
    • String ID:
    • API String ID: 327935632-0
    • Opcode ID: ead7eef95b596b856c5f4eb2029a43feb565c8002c68f071d1ba7497b8307013
    • Instruction ID: f8d3cf13672d8cb473b1fb2b23725a7b9374c34119b2271c6f8211c56d881380
    • Opcode Fuzzy Hash: ead7eef95b596b856c5f4eb2029a43feb565c8002c68f071d1ba7497b8307013
    • Instruction Fuzzy Hash: F2512835A44209DFCB00EFA8C4949ADB7F8FF99314B05C06AE859AB311DB34AD45CF90
    Function 009CE5FD Relevance: 7.6, APIs: 5, Instructions: 135COMMON
    Download Yara Rule
    APIs
    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009CE6AB
    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 009CE6D4
    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009CE713
      • Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
      • Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C
    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009CE738
    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009CE740
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
    • String ID:
    • API String ID: 1389676194-0
    • Opcode ID: 547c5e13b43901327335cf4e09897621ae3e002188dab0f3705712693a663fe9
    • Instruction ID: d3c48fa547e5fec38a3e24445e48242bc14f5631ab92ba931f9ab2f3d6414997
    • Opcode Fuzzy Hash: 547c5e13b43901327335cf4e09897621ae3e002188dab0f3705712693a663fe9
    • Instruction Fuzzy Hash: 99510A35A00605DFCF01EF64C991EADBBF9EF48314B188099E94AAB361CB31ED11DB51
    Function 009EA088 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3e8dcdd8e4b86078a02c9d2a92cc3190fc71a24894df34c9f2ab82d8e35b5a73
    • Instruction ID: 5dff703675d11f8a8d1515cab298562ae47af4304ff75385c1e68ac85bbdb85d
    • Opcode Fuzzy Hash: 3e8dcdd8e4b86078a02c9d2a92cc3190fc71a24894df34c9f2ab82d8e35b5a73
    • Instruction Fuzzy Hash: EA41E235908284BFC721DF69CC84FA9BBA8EB19360F150165F816A72F1C730BE01DA51
    Function 00962344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(?), ref: 00962357
    • ScreenToClient.USER32(00A257B0,?), ref: 00962374
    • GetAsyncKeyState.USER32(00000001), ref: 00962399
    • GetAsyncKeyState.USER32(00000002), ref: 009623A7
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AsyncState$ClientCursorScreen
    • String ID:
    • API String ID: 4210589936-0
    • Opcode ID: a1f1d17eeebf86d21318b680c19956693bb746282834e157cb0c5fa9d0a9e995
    • Instruction ID: 6d1efa5489a5b334d7863cf16ea91bec20e44a6119d58d3f35aaae06ab80f989
    • Opcode Fuzzy Hash: a1f1d17eeebf86d21318b680c19956693bb746282834e157cb0c5fa9d0a9e995
    • Instruction Fuzzy Hash: B441A175908209FBDF259F68CC44EE9BB74FB55760F10436AF82496291C7346D90DF90
    Function 009B6700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
    Download Yara Rule
    APIs
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009B673D
    • TranslateAcceleratorW.USER32(?,?,?), ref: 009B6789
    • TranslateMessage.USER32(?), ref: 009B67B2
    • DispatchMessageW.USER32(?), ref: 009B67BC
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009B67CB
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Message$PeekTranslate$AcceleratorDispatch
    • String ID:
    • API String ID: 2108273632-0
    • Opcode ID: 0c5b6ebc81a82a93f2be2380aa7a795169cc2f43ba1bbd39bbf00c364cb25d5e
    • Instruction ID: d558d2886df85dc19b1edf248da70feb7e320ee3bb06e1c56d718ebfd63c7ac2
    • Opcode Fuzzy Hash: 0c5b6ebc81a82a93f2be2380aa7a795169cc2f43ba1bbd39bbf00c364cb25d5e
    • Instruction Fuzzy Hash: B131B431905646AFDB24CFB48D88FF67BACBB01728F140575E425C60A1EB39F946DB60
    Function 009B8CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 009B8CF2
    • PostMessageW.USER32(?,00000201,00000001), ref: 009B8D9C
    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 009B8DA4
    • PostMessageW.USER32(?,00000202,00000000), ref: 009B8DB2
    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 009B8DBA
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessagePostSleep$RectWindow
    • String ID:
    • API String ID: 3382505437-0
    • Opcode ID: 8e44972ac7b36786ab7c7e52c0d64629eed2049f97c6f3a4c6f8e747cddc5b07
    • Instruction ID: 1aefc159cf553061448bba62d53a49f9a737339dbbbcefd4e94f8be89db5f6c4
    • Opcode Fuzzy Hash: 8e44972ac7b36786ab7c7e52c0d64629eed2049f97c6f3a4c6f8e747cddc5b07
    • Instruction Fuzzy Hash: A131C071500219EBDF14CF68DA8CADE3BB9EB98325F10462AF925EA1D0C7B09D14DB90
    Function 009BB4AE Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(?), ref: 009BB4C6
    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009BB4E3
    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009BB51B
    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009BB541
    • _wcsstr.LIBCMT ref: 009BB54B
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
    • String ID:
    • API String ID: 3902887630-0
    • Opcode ID: da660d8a90575fe100c8134e3ae2cdbd017630eb34f2d1c51f9d510f0110dd63
    • Instruction ID: 78c81bda108861cba04c573aeb3c526af3550a199f4fb14e032d48ac5daa89ad
    • Opcode Fuzzy Hash: da660d8a90575fe100c8134e3ae2cdbd017630eb34f2d1c51f9d510f0110dd63
    • Instruction Fuzzy Hash: 5321DA32608144BFEB255B399D49EBB7B9DEF85760F00803AF905CA1E1EBE5DC4097A1
    Function 009EB17F Relevance: 7.6, APIs: 5, Instructions: 85COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623
    • GetWindowLongW.USER32(?,000000F0), ref: 009EB1C6
    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 009EB1EB
    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 009EB203
    • GetSystemMetrics.USER32(00000004), ref: 009EB22C
    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,009D0FA5,00000000), ref: 009EB24A
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$Long$MetricsSystem
    • String ID:
    • API String ID: 2294984445-0
    • Opcode ID: d7895c9401d13dd956e1866113ab3e6f4d7775c41cc25e3292192edc492855e6
    • Instruction ID: ef8a900a125272e8673c41fde751d953a01916ccd680005ed961c58db918d708
    • Opcode Fuzzy Hash: d7895c9401d13dd956e1866113ab3e6f4d7775c41cc25e3292192edc492855e6
    • Instruction Fuzzy Hash: A3219131914696AFCB119F399C48B6A37A4FF55330F104635BA31D62E0E7309C11AB80
    Function 009B95C9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009B95E2
      • Part of subcall function 00967D2C: _memmove.LIBCMT ref: 00967D66
    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009B9614
    • __itow.LIBCMT ref: 009B962C
    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009B9654
    • __itow.LIBCMT ref: 009B9665
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$__itow$_memmove
    • String ID:
    • API String ID: 2983881199-0
    • Opcode ID: d01f7003108ce5d44ec9e8f313e6bcb56482bdcc9a0511e380be7e35eae131da
    • Instruction ID: 20cb31caf86261f72fddb08c765b7e7d724d63f02857120bb4f90f814e879f40
    • Opcode Fuzzy Hash: d01f7003108ce5d44ec9e8f313e6bcb56482bdcc9a0511e380be7e35eae131da
    • Instruction Fuzzy Hash: E721FC31B10258FBDB11ABA48D8AFEE7BACDF99B24F044025FE04DB291D6708D459791
    Function 009D5B63 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(00000000), ref: 009D5B84
    • GetForegroundWindow.USER32 ref: 009D5B9B
    • GetDC.USER32(00000000), ref: 009D5BD7
    • GetPixel.GDI32(00000000,?,00000003), ref: 009D5BE3
    • ReleaseDC.USER32(00000000,00000003), ref: 009D5C1E
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$ForegroundPixelRelease
    • String ID:
    • API String ID: 4156661090-0
    • Opcode ID: 1b6da0feed946a30022d912d676977f773afad40468a7bfe9948684f2111fb97
    • Instruction ID: 2a0728f722914b856b0214163f2722b9037bc796cd0af8fdfd63853a17842515
    • Opcode Fuzzy Hash: 1b6da0feed946a30022d912d676977f773afad40468a7bfe9948684f2111fb97
    • Instruction Fuzzy Hash: A2219235A04104EFDB00EF64CC98BAAB7E9EF88710F04C47AF84A97361CA34AD00DB50
    Function 009612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0096134D
    • SelectObject.GDI32(?,00000000), ref: 0096135C
    • BeginPath.GDI32(?), ref: 00961373
    • SelectObject.GDI32(?,00000000), ref: 0096139C
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ObjectSelect$BeginCreatePath
    • String ID:
    • API String ID: 3225163088-0
    • Opcode ID: 93e1170e34e02b68636f34c02f90fdf336ce9add3f8822a9ae7218290c5ecf33
    • Instruction ID: 316cf14f5c7890a570893ab9ab05fecc0d1b8787b5015e037388b24e425f7ec5
    • Opcode Fuzzy Hash: 93e1170e34e02b68636f34c02f90fdf336ce9add3f8822a9ae7218290c5ecf33
    • Instruction Fuzzy Hash: C6213130C04608DBDB21DFB9DD45B797BA8FB00321F184226E411966B0D7B59993EF50
    Function 009C4B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 009C4B61
    • __beginthreadex.LIBCMT ref: 009C4B7F
    • MessageBoxW.USER32(?,?,?,?), ref: 009C4B94
    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009C4BAA
    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009C4BB1
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
    • String ID:
    • API String ID: 3824534824-0
    • Opcode ID: 3e648cd46a372ffd59b5ad279e1d506881ba4b51f23b4a5a9df8b3beac894132
    • Instruction ID: ff0b0b1743441049955114481c64bd6aa7f3255a0340801eb7098233699b7542
    • Opcode Fuzzy Hash: 3e648cd46a372ffd59b5ad279e1d506881ba4b51f23b4a5a9df8b3beac894132
    • Instruction Fuzzy Hash: C111E172E08648FBC7109BB89C44FEF7FADAB45320F14426AF814D7291D671CD0187A2
    Function 009B852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
    Download Yara Rule
    APIs
    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009B8546
    • GetLastError.KERNEL32(?,009B800A,?,?,?), ref: 009B8550
    • GetProcessHeap.KERNEL32(00000008,?,?,009B800A,?,?,?), ref: 009B855F
    • HeapAlloc.KERNEL32(00000000,?,009B800A,?,?,?), ref: 009B8566
    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009B857D
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
    • String ID:
    • API String ID: 842720411-0
    • Opcode ID: 287f4a6f03bea096b1b2d955aa72ec1422766e37049218fa35fd684d9d1e60de
    • Instruction ID: f6aac118756ed92f14b17f14697de83bd8e686014a836a0b538ce2f349f842f7
    • Opcode Fuzzy Hash: 287f4a6f03bea096b1b2d955aa72ec1422766e37049218fa35fd684d9d1e60de
    • Instruction Fuzzy Hash: 1401D170214248FFDB204FA6DC88CAB3FACFF8A761710016AF809C7260DA728C01DA60
    Function 009C52EB Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
    Download Yara Rule
    APIs
    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C5307
    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009C5315
    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C531D
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009C5327
    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C5363
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: PerformanceQuery$CounterSleep$Frequency
    • String ID:
    • API String ID: 2833360925-0
    • Opcode ID: 67956f860b4d81050bd0363aa789c05d2dd2600f07eb4e26d1d72e284832f5e7
    • Instruction ID: 3be10e9f5ec7c539477e76f067e6b3545beb8976303de801455f6cfc7b7f1827
    • Opcode Fuzzy Hash: 67956f860b4d81050bd0363aa789c05d2dd2600f07eb4e26d1d72e284832f5e7
    • Instruction Fuzzy Hash: DF016D31C19A5DDBCF049FE4E898AEDBB78FB09351F06045AE941F6240CF74699097A2
    Function 009B7432 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
    Download Yara Rule
    APIs
    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B736C,80070057,?,?,?,009B777D), ref: 009B744F
    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B736C,80070057,?,?), ref: 009B746A
    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B736C,80070057,?,?), ref: 009B7478
    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B736C,80070057,?), ref: 009B7488
    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009B736C,80070057,?,?), ref: 009B7494
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: From$Prog$FreeStringTasklstrcmpi
    • String ID:
    • API String ID: 3897988419-0
    • Opcode ID: 2de28bf3a3f0407611849825cff9107710d7b07f718d66c152f405ed218cff2b
    • Instruction ID: fdf7b239052fc4d8eca6f80dce08d2281cc4167093c943a7660f69a691e3ec64
    • Opcode Fuzzy Hash: 2de28bf3a3f0407611849825cff9107710d7b07f718d66c152f405ed218cff2b
    • Instruction Fuzzy Hash: 8D01D472615208BFDB104FA5DD48BEABFBEEB84762F104125FD09D6221E731DD00ABA0
    Function 009B83D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
    Download Yara Rule
    APIs
    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009B83E8
    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009B83F2
    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009B8401
    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009B8408
    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009B841E
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: HeapInformationToken$AllocErrorLastProcess
    • String ID:
    • API String ID: 44706859-0
    • Opcode ID: 7c02b9a4878ec4bfae375fd9c294b62438bad7edf04e0a2a633536fa6542f1be
    • Instruction ID: ea7a1ec090b721277ab9a9972daf7d796d14f3595738164e6ec5001c24122492
    • Opcode Fuzzy Hash: 7c02b9a4878ec4bfae375fd9c294b62438bad7edf04e0a2a633536fa6542f1be
    • Instruction Fuzzy Hash: AFF06831228245EFDB105FA5DCDDEA73BADEF8D765B00442AF945C6160CB71DC41EA60
    Function 009B8432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
    Download Yara Rule
    APIs
    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009B8449
    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009B8453
    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B8462
    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009B8469
    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B847F
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: HeapInformationToken$AllocErrorLastProcess
    • String ID:
    • API String ID: 44706859-0
    • Opcode ID: 8f684dd37e3843c4c500991bf8a4815e76b5fc97b350cd563678ea5d6c25379f
    • Instruction ID: e550cd2487fdc76f59d7115ba465bdecafd6c8edb331c833c4708cb379aa03a7
    • Opcode Fuzzy Hash: 8f684dd37e3843c4c500991bf8a4815e76b5fc97b350cd563678ea5d6c25379f
    • Instruction Fuzzy Hash: 14F06831214345AFDB111FA5DCD8EA73FADEF897A5B040126F945C71A0CB619D41EA60
    Function 009BC4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,000003E9), ref: 009BC4B9
    • GetWindowTextW.USER32(00000000,?,00000100), ref: 009BC4D0
    • MessageBeep.USER32(00000000), ref: 009BC4E8
    • KillTimer.USER32(?,0000040A), ref: 009BC504
    • EndDialog.USER32(?,00000001), ref: 009BC51E
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: BeepDialogItemKillMessageTextTimerWindow
    • String ID:
    • API String ID: 3741023627-0
    • Opcode ID: a9b0ef26fdb909f705b1c8e795864ce75c215abda345fcd91c1eeb726739b3b0
    • Instruction ID: 6cd68273efb1e0a6f8a2dbd9ed9f2762aa78d12d76222082c1b81468530e8abf
    • Opcode Fuzzy Hash: a9b0ef26fdb909f705b1c8e795864ce75c215abda345fcd91c1eeb726739b3b0
    • Instruction Fuzzy Hash: 81016270518708ABEB305B60DD9EBA677B8FF00B15F00066AF586A51E1DBF4BE549B80
    Function 009613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • EndPath.GDI32(?), ref: 009613BF
    • StrokeAndFillPath.GDI32(?,?,0099BA08,00000000,?), ref: 009613DB
    • SelectObject.GDI32(?,00000000), ref: 009613EE
    • DeleteObject.GDI32 ref: 00961401
    • StrokePath.GDI32(?), ref: 0096141C
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Path$ObjectStroke$DeleteFillSelect
    • String ID:
    • API String ID: 2625713937-0
    • Opcode ID: 53f3bed7e459d766286168d233e2583f1e0e3334ecb40a3221643e34e7504502
    • Instruction ID: 5e10cfdf0e297b0b673d92df90028c6380904ef5b8b7ec4c2c0370d0f22d26da
    • Opcode Fuzzy Hash: 53f3bed7e459d766286168d233e2583f1e0e3334ecb40a3221643e34e7504502
    • Instruction Fuzzy Hash: 59F0CD30418648DBDB259F6AEC4D7683BA8BB01326F088235E429495F1C7754997EF50
    Function 009CC423 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
    Download Yara Rule
    APIs
    • CoInitialize.OLE32(00000000), ref: 009CC4BE
    • CoCreateInstance.OLE32(009F2D6C,00000000,00000001,009F2BDC,?), ref: 009CC4D6
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
    • CoUninitialize.OLE32 ref: 009CC743
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CreateInitializeInstanceUninitialize_memmove
    • String ID: .lnk
    • API String ID: 2683427295-24824748
    • Opcode ID: c5f3c616eee3ca5e005fc3be7575bcea14f77fda71ff6d552ec2e6d19d553a9c
    • Instruction ID: 1e575731cb743107d0abdceac807cf40f454a9af6abad3b42faabd752709b743
    • Opcode Fuzzy Hash: c5f3c616eee3ca5e005fc3be7575bcea14f77fda71ff6d552ec2e6d19d553a9c
    • Instruction Fuzzy Hash: 48A12B71108205AFD300EF64C891EABB7ECEFD4714F04495DF1969B1A2DB70EA49CB52
    Function 00972E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00980F36: std::exception::exception.LIBCMT ref: 00980F6C
      • Part of subcall function 00980F36: __CxxThrowException@8.LIBCMT ref: 00980F81
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
      • Part of subcall function 00967BB1: _memmove.LIBCMT ref: 00967C0B
    • __swprintf.LIBCMT ref: 0097302D
    Strings
    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00972EC6
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
    • API String ID: 1943609520-557222456
    • Opcode ID: f0fea5fbda298c91d48ce9fad101ac00d6e87fdd29fb4d8becaf959d68c0c7bf
    • Instruction ID: 5b7512ed84b74ec5677c2a818fbfff08910448b98bae0ba6693abff6ea4e3d36
    • Opcode Fuzzy Hash: f0fea5fbda298c91d48ce9fad101ac00d6e87fdd29fb4d8becaf959d68c0c7bf
    • Instruction Fuzzy Hash: 74915C721083019FC714EF64D895E6EB7A8EFC6710F04891DF4969B2A1EB70EE44DB92
    Function 009CB9C7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009648A1,?,?,009637C0,?), ref: 009648CE
    • CoInitialize.OLE32(00000000), ref: 009CBA47
    • CoCreateInstance.OLE32(009F2D6C,00000000,00000001,009F2BDC,?), ref: 009CBA60
    • CoUninitialize.OLE32 ref: 009CBA7D
      • Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
      • Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
    • String ID: .lnk
    • API String ID: 2126378814-24824748
    • Opcode ID: 669af842195b184ff922beb87a3fc75a4ebaaaeccb03b68a96787c0f28d81606
    • Instruction ID: 80ee0204f7ad186ebedb40eac1e51834c1920df54237a153d68e0946685a262b
    • Opcode Fuzzy Hash: 669af842195b184ff922beb87a3fc75a4ebaaaeccb03b68a96787c0f28d81606
    • Instruction Fuzzy Hash: EBA132756043059FCB10DF14C895E6ABBE9BF88314F14899CF89A9B3A1CB31ED45CB92
    Function 0098518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
    Download Yara Rule
    APIs
    • __startOneArgErrorHandling.LIBCMT ref: 0098521D
      • Part of subcall function 00990270: __87except.LIBCMT ref: 009902AB
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ErrorHandling__87except__start
    • String ID: pow
    • API String ID: 2905807303-2276729525
    • Opcode ID: 912eab5a9b5257dc01cd4821edadb009f27991ae2572cba7a6eb663b0b1cf8a3
    • Instruction ID: 76bd7a85e8398b101396088ed97a284623b2541d63e3581a2c3fddbba3abb74f
    • Opcode Fuzzy Hash: 912eab5a9b5257dc01cd4821edadb009f27991ae2572cba7a6eb663b0b1cf8a3
    • Instruction Fuzzy Hash: C5515861A0C601DBDF11B71CC94237E6B989B80750F258D58E4F5823A9EF288CDDDB46
    Function 0098017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID: #$+
    • API String ID: 0-2552117581
    • Opcode ID: b5006e70497e045eb9c7d74a022a557c3b7e67e3dff2dd0a85f48f388a443a25
    • Instruction ID: e416c987887a12e0b53d9697dac714184bc77165166d753038e559e925f85a1e
    • Opcode Fuzzy Hash: b5006e70497e045eb9c7d74a022a557c3b7e67e3dff2dd0a85f48f388a443a25
    • Instruction Fuzzy Hash: 4351517510426A9FDF25EF68C494BFABBA8FF99320F144055ECA19B3A0C7749C46C760
    Function 009762F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _memset$_memmove
    • String ID: ERCP
    • API String ID: 2532777613-1384759551
    • Opcode ID: 00eb7b89e6a482a13b81ab4dd99d89baacb243bf4dbbe7e4b9ce88a06cb416c0
    • Instruction ID: 5fb2e24582cf4aa5def7dd1a9cf84b4d4b8cfce8ef9e86780140fd4971074b45
    • Opcode Fuzzy Hash: 00eb7b89e6a482a13b81ab4dd99d89baacb243bf4dbbe7e4b9ce88a06cb416c0
    • Instruction Fuzzy Hash: 9851B372900709DBDB24DF65C9917EAB7F8FF44314F20856EE94ACB291E774AA84CB40
    Function 009B9AB7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009C17ED: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009B9558,?,?,00000034,00000800,?,00000034), ref: 009C1817
    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009B9B01
      • Part of subcall function 009C17B8: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009B9587,?,?,00000800,?,00001073,00000000,?,?), ref: 009C17E2
      • Part of subcall function 009C170F: GetWindowThreadProcessId.USER32(?,?), ref: 009C173A
      • Part of subcall function 009C170F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009B951C,00000034,?,?,00001004,00000000,00000000), ref: 009C174A
      • Part of subcall function 009C170F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009B951C,00000034,?,?,00001004,00000000,00000000), ref: 009C1760
    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009B9B6E
    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009B9BBB
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
    • String ID: @
    • API String ID: 4150878124-2766056989
    • Opcode ID: 82c46ecb6f57cd6d029b6557532d673d89b59666e1133d51fffa200b996779d5
    • Instruction ID: 3914b504fe79330fd018b806b39961d97fb0651ff255ed41fc134933b2348296
    • Opcode Fuzzy Hash: 82c46ecb6f57cd6d029b6557532d673d89b59666e1133d51fffa200b996779d5
    • Instruction Fuzzy Hash: 4E414B76D00218AFDB10DBA4CD85FEEBBB8AF4A710F104099FA55B7191CA706E85CB61
    Function 009E7978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
    Download Yara Rule
    APIs
    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009EF910,00000000,?,?,?,?), ref: 009E7A11
    • GetWindowLongW.USER32 ref: 009E7A2E
    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 009E7A3E
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$Long
    • String ID: SysTreeView32
    • API String ID: 847901565-1698111956
    • Opcode ID: 822a044ab9c87d9016cee288691ad1507003c3b60b77ab7a6e8c3364090609b3
    • Instruction ID: 79ff4b2b5853ead557860ec0f5422c8e4d54782611e40869976d35e8f8252994
    • Opcode Fuzzy Hash: 822a044ab9c87d9016cee288691ad1507003c3b60b77ab7a6e8c3364090609b3
    • Instruction Fuzzy Hash: 2F31DC31204646ABDB128F78CC41BEABBA9FF49334F244B25F875A22E1D730ED519B10
    Function 009E740B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009E7493
    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009E74A7
    • SendMessageW.USER32(?,00001002,00000000,?), ref: 009E74CB
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$Window
    • String ID: SysMonthCal32
    • API String ID: 2326795674-1439706946
    • Opcode ID: 482431c37cb392ba90e08ec386e085f0985daa560371a7c59deeba24dc00ee36
    • Instruction ID: f1e11d135a993cb1c0c799b736f79afe09a6a8c1bcb57cc2d1d0d2c65ed75d1d
    • Opcode Fuzzy Hash: 482431c37cb392ba90e08ec386e085f0985daa560371a7c59deeba24dc00ee36
    • Instruction Fuzzy Hash: A421B132604258BBDF228F94CC82FEA3B6AEF48724F110114FE146B1E0E675AC51DBA0
    Function 009E7BC5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 009E7C7C
    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 009E7C8A
    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009E7C91
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$DestroyWindow
    • String ID: msctls_updown32
    • API String ID: 4014797782-2298589950
    • Opcode ID: 3d0c8e89c51c00c2130e1f8cabccdf4351a83351860659a016a6a42a2ae6d140
    • Instruction ID: 80e3f001b690de0e32d16b71d1d56d216c6dea8e0377219ef319555e2cabca4d
    • Opcode Fuzzy Hash: 3d0c8e89c51c00c2130e1f8cabccdf4351a83351860659a016a6a42a2ae6d140
    • Instruction Fuzzy Hash: AB21AEB1604249AFEB11DF68DC81DB777EDEF8A354B140419FA009B3A1CB30EC418BA1
    Function 009E6CE2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009E6D6D
    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009E6D7D
    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009E6DA2
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$MoveWindow
    • String ID: Listbox
    • API String ID: 3315199576-2633736733
    • Opcode ID: c41e5890c23376b488c771471e88d92b1933b2473d9eda70a8b30c339b145590
    • Instruction ID: 12d2cc29529a67176e18f43445a4da79b9635c1fd9b5593f98b14cbf5119d1cd
    • Opcode Fuzzy Hash: c41e5890c23376b488c771471e88d92b1933b2473d9eda70a8b30c339b145590
    • Instruction Fuzzy Hash: E221F232610158BFDF128F55DC84FBB3BAEEF997A4F508124F9049B1D0C671AC9287A0
    Function 009E7740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009E77A4
    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009E77B9
    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009E77C6
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: msctls_trackbar32
    • API String ID: 3850602802-1010561917
    • Opcode ID: ef80e266f3b78c17dc89918ff4255967f33c577b13325361139f78512f5d36a4
    • Instruction ID: 2dfbc34fde934aa9789f4469f7668ee5c87043a9f5c1b428b04f19ef018d5429
    • Opcode Fuzzy Hash: ef80e266f3b78c17dc89918ff4255967f33c577b13325361139f78512f5d36a4
    • Instruction Fuzzy Hash: 4211C472254248BADB115FA5CC45FEB7BADEB89B24F010518F641960D0D672A851DB20
    Function 00964C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,?,00964C2E), ref: 00964CA3
    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00964CB5
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: GetNativeSystemInfo$kernel32.dll
    • API String ID: 2574300362-192647395
    • Opcode ID: d62426d845ef7b9d9ed5d76e3352f0f71e5b30115b431d504606bc383fce8e56
    • Instruction ID: c4459a3061ca2698a452945f1366f2d62a27d8039c154598146e4567d3d7a633
    • Opcode Fuzzy Hash: d62426d845ef7b9d9ed5d76e3352f0f71e5b30115b431d504606bc383fce8e56
    • Instruction Fuzzy Hash: ACD02E30924727CFC7208F72CE6864272E9AF40780B14C83FD8CACA250E774CC80CA10
    Function 00964D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,?,00964CE1,?), ref: 00964DA2
    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00964DB4
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
    • API String ID: 2574300362-1355242751
    • Opcode ID: c475a30461d76286a4e954d7c592bb8dc48166cd27963e62cdc88f3282aa757d
    • Instruction ID: d21f6ee981ad337eceb7b8a9c144615d190c24979eec2e0deed66c6de8a15aac
    • Opcode Fuzzy Hash: c475a30461d76286a4e954d7c592bb8dc48166cd27963e62cdc88f3282aa757d
    • Instruction Fuzzy Hash: 9AD01770964B13DFD7209F72D868A8676E9AF45355B15C83ED8C6DE1A0E770E880CA50
    Function 00964D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,?,00964D2E,?,00964F4F,?,00A252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00964D6F
    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00964D81
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
    • API String ID: 2574300362-3689287502
    • Opcode ID: d857c720a16a45c343d3661dc218a876e216fbb954366f54660dfaa5f2198a73
    • Instruction ID: ded2e761670a6e1577ff0b5c402481f79c01c803fc1f0e7b15bda5120b1f993e
    • Opcode Fuzzy Hash: d857c720a16a45c343d3661dc218a876e216fbb954366f54660dfaa5f2198a73
    • Instruction Fuzzy Hash: D2D0C730924B53CFC7208F71C86820672EDBF04352B00C83E9486CA2A0E670E880CA11
    Function 009E0E72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(advapi32.dll,?,009E10C1), ref: 009E0E80
    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009E0E92
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: RegDeleteKeyExW$advapi32.dll
    • API String ID: 2574300362-4033151799
    • Opcode ID: 231c929a591f30d4ee8a54814c33a793d74c86a50727cfdafa37cb66e9cfe4d4
    • Instruction ID: 6484d154e4e69a6eb93a446d978852ec2802e89968d811660f1332b7cec10ec0
    • Opcode Fuzzy Hash: 231c929a591f30d4ee8a54814c33a793d74c86a50727cfdafa37cb66e9cfe4d4
    • Instruction Fuzzy Hash: A3D0C730424723DFC3218F32C96828B72E9AF40362B008C3EA48AE6150E6B0CCC0CA00
    Function 009D91F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,009D8E09,?,009EF910), ref: 009D9203
    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009D9215
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: GetModuleHandleExW$kernel32.dll
    • API String ID: 2574300362-199464113
    • Opcode ID: 09fcfd017078473e6f0adc0260f4f08173fd067401d6a1d64d43e61eff78a1cd
    • Instruction ID: 427ffa1cea39290f281fa82fb95890703410ff22414883ae537ba3d2e1a75381
    • Opcode Fuzzy Hash: 09fcfd017078473e6f0adc0260f4f08173fd067401d6a1d64d43e61eff78a1cd
    • Instruction Fuzzy Hash: 55D0C7305A8717EFCB20AF31CC5820272E9AF00365B00CC3F989AEA290EA70C880CA10
    Function 009A1A6D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: LocalTime__swprintf
    • String ID: %.3d$WIN_XPe
    • API String ID: 2070861257-2409531811
    • Opcode ID: 9a0b4dd847dad78b6c354c7ecadd02d90c4a855c7b89f2ebc9e7d20fab2d2f3b
    • Instruction ID: d1422f35718ac8fe87be7b9ebbadb496209d1fbc9c446efc3203a84423b8b916
    • Opcode Fuzzy Hash: 9a0b4dd847dad78b6c354c7ecadd02d90c4a855c7b89f2ebc9e7d20fab2d2f3b
    • Instruction Fuzzy Hash: A0D017B2849119EACB409AD088959FE737CEB09700F188D52F506E2080E32DCB84EBA1
    Function 009B74A5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9eaf80d11172b75081f090cb0338fe9b5d73ddf4c6ec2374afd6e76b2399a491
    • Instruction ID: 38ac8f23a512a1e04232079edcec3684268e4da565b1e9a89f65bfa59f553a04
    • Opcode Fuzzy Hash: 9eaf80d11172b75081f090cb0338fe9b5d73ddf4c6ec2374afd6e76b2399a491
    • Instruction Fuzzy Hash: 08C15175A04216EFCB14CF98C984EAEF7B9FF88724B154698E805EB251DB30ED41DB90
    Function 009DE13E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
    Download Yara Rule
    APIs
    • CharLowerBuffW.USER32(?,?), ref: 009DE1D2
    • CharLowerBuffW.USER32(?,?), ref: 009DE215
      • Part of subcall function 009DD8B9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009DD8D9
    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 009DE415
    • _memmove.LIBCMT ref: 009DE428
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: BuffCharLower$AllocVirtual_memmove
    • String ID:
    • API String ID: 3659485706-0
    • Opcode ID: 002d4c39e8cdac03e3a40d7e13734969610c8e51c6c9b7a04811c83bee756f39
    • Instruction ID: 3e4fb5b7b25451ee43a8c2ad41272a1801fd1e091ed0adf0082b75d53d06ad1c
    • Opcode Fuzzy Hash: 002d4c39e8cdac03e3a40d7e13734969610c8e51c6c9b7a04811c83bee756f39
    • Instruction Fuzzy Hash: 82C15A716083119FC714EF28C490A6ABBE8FF89714F14896EF8999B351D731E946CF82
    Function 009D81A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
    Download Yara Rule
    APIs
    • CoInitialize.OLE32(00000000), ref: 009D81D8
    • CoUninitialize.OLE32 ref: 009D81E3
      • Part of subcall function 009BD87B: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009BD8E3
    • VariantInit.OLEAUT32(?), ref: 009D81EE
    • VariantClear.OLEAUT32(?), ref: 009D84BF
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
    • String ID:
    • API String ID: 780911581-0
    • Opcode ID: d27dcfa6537e0696e2f171f3b559d1697ad6f68945dec102fbe22a7d59b447b8
    • Instruction ID: 7378a5413bb62e08f0fbf4e73d5ace0b6028216c70de421bbcd4d0b80efaab55
    • Opcode Fuzzy Hash: d27dcfa6537e0696e2f171f3b559d1697ad6f68945dec102fbe22a7d59b447b8
    • Instruction Fuzzy Hash: BBA14C752447019FCB10DF58C491B2AB7E8BF88764F18885DF99A9B3A2CB34ED05CB46
    Function 009B7858 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
    Download Yara Rule
    APIs
    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,009F2C7C,?), ref: 009B7A12
    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,009F2C7C,?), ref: 009B7A2A
    • CLSIDFromProgID.OLE32(?,?,00000000,009EFB80,000000FF,?,00000000,00000800,00000000,?,009F2C7C,?), ref: 009B7A4F
    • _memcmp.LIBCMT ref: 009B7A70
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: FromProg$FreeTask_memcmp
    • String ID:
    • API String ID: 314563124-0
    • Opcode ID: 8f46b2d92873b48fac73788901e7a65c87b85a3bbf5a0ce9e713891c7b8e095f
    • Instruction ID: eb0b9e64f0dbbca7727df21295b00ff94c01cbc743b9b373f7d34974c867e1a8
    • Opcode Fuzzy Hash: 8f46b2d92873b48fac73788901e7a65c87b85a3bbf5a0ce9e713891c7b8e095f
    • Instruction Fuzzy Hash: 6681F871A00109EFCB04DFD4C988EEEB7B9FF89315F204599E516AB250DB71AE06CB60
    Function 009B6BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Variant$AllocClearCopyInitString
    • String ID:
    • API String ID: 2808897238-0
    • Opcode ID: 651f483770d2af70f93ad2ff5deeb49d1d8e1c27b57977044ea589ec45dc3df4
    • Instruction ID: 8d917b86af2f4059324b2821785a706774f075290e8576b065179f2c798ee598
    • Opcode Fuzzy Hash: 651f483770d2af70f93ad2ff5deeb49d1d8e1c27b57977044ea589ec45dc3df4
    • Instruction Fuzzy Hash: D15189307043419BDB20AF69D995BA9F7E9EFC4320F248C2FE596CB2D1DB78A8409715
    Function 009E9826 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 009E9895
    • ScreenToClient.USER32(00000002,00000002), ref: 009E98C8
    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 009E9935
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$ClientMoveRectScreen
    • String ID:
    • API String ID: 3880355969-0
    • Opcode ID: aeff8f9c030be4b311d1358fb3cd5d42b64c7639bd983c7640557b643ea2fc67
    • Instruction ID: 04d65fb9859a3b8706be2bdbae8c0e441c5623937e26baf1b1ec94be8e17a589
    • Opcode Fuzzy Hash: aeff8f9c030be4b311d1358fb3cd5d42b64c7639bd983c7640557b643ea2fc67
    • Instruction Fuzzy Hash: 27515234900149EFCF25DF69D880ABE7BBAFF85320F108169F8559B2A1D771AD81DB90
    Function 0098487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
    • String ID:
    • API String ID: 2782032738-0
    • Opcode ID: 9d32a0cca31c7bb2b15b74915ad5c68f9b5270e2a37dcfa491c5b6f8e1a60b1a
    • Instruction ID: 9bdf2a085acbe8726ca2e851f4fbf0227d4b9070ca2ebf4fcb75d33c75571bd4
    • Opcode Fuzzy Hash: 9d32a0cca31c7bb2b15b74915ad5c68f9b5270e2a37dcfa491c5b6f8e1a60b1a
    • Instruction Fuzzy Hash: 3541E731A047479FDF28EF69C88096F7BAAAF84760B24853DE855C7740E675DD408B40
    Function 009B9D42 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 009B9D94
    • __itow.LIBCMT ref: 009B9DC5
      • Part of subcall function 009BA015: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 009BA080
    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 009B9E2E
    • __itow.LIBCMT ref: 009B9E85
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend$__itow
    • String ID:
    • API String ID: 3379773720-0
    • Opcode ID: 7e6871bbccf4c6e8d21da26fb8a2424d5780a5e4ed4d8f867575e492bf146c06
    • Instruction ID: 2c4f556a6f48c45a39a4d0da0d9fa70ff018c9d71c2c991476de906d4d434912
    • Opcode Fuzzy Hash: 7e6871bbccf4c6e8d21da26fb8a2424d5780a5e4ed4d8f867575e492bf146c06
    • Instruction Fuzzy Hash: C9418674A00308ABDF21EF94CD85BEEBBB9EF85764F040059FA0567291DB749E44CBA1
    Function 009D6AC0 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
    Download Yara Rule
    APIs
    • socket.WSOCK32(00000002,00000002,00000011), ref: 009D6AE7
    • WSAGetLastError.WSOCK32(00000000), ref: 009D6AF7
      • Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
      • Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C
    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 009D6B5B
    • WSAGetLastError.WSOCK32(00000000), ref: 009D6B67
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ErrorLast$__itow__swprintfsocket
    • String ID:
    • API String ID: 2214342067-0
    • Opcode ID: 21454a9d4f06d443f204638e877ba7d09703a20d1fada4ae3aba8bb1f90cba82
    • Instruction ID: 20d008c233f7d19363fa3a7988a2b272a30f4e96ef1cd2e48d0bb9d1e548e2d7
    • Opcode Fuzzy Hash: 21454a9d4f06d443f204638e877ba7d09703a20d1fada4ae3aba8bb1f90cba82
    • Instruction Fuzzy Hash: 0341A235740200AFEB20AF68DC96F3A77E9AF84B10F44C519FA5A9F3D2DA759D008791
    Function 009D6530 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,009EF910), ref: 009D65BD
    • _strlen.LIBCMT ref: 009D65EF
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _strlen
    • String ID:
    • API String ID: 4218353326-0
    • Opcode ID: 242c35dbc8942dea18bcb2fb7c9e265edf2fdc16e42c856b91178c5a2f4dc1ce
    • Instruction ID: 87a444a115a702555e150415522cf2d7d87079bc6d63028f3c48e1c85273cfbf
    • Opcode Fuzzy Hash: 242c35dbc8942dea18bcb2fb7c9e265edf2fdc16e42c856b91178c5a2f4dc1ce
    • Instruction Fuzzy Hash: 9041B331A40104ABCB14EBA4DDD1FAEB7A9EF84310F54C15AF91A9B392DB30ED00CB51
    Function 009CB880 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
    Download Yara Rule
    APIs
    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009CB92A
    • GetLastError.KERNEL32(?,00000000), ref: 009CB950
    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009CB975
    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009CB9A1
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CreateHardLink$DeleteErrorFileLast
    • String ID:
    • API String ID: 3321077145-0
    • Opcode ID: d38674c7dfdcd78d55d2b68318c5766b64e0068d0349eded1daa535802b3ab87
    • Instruction ID: 16d4d4389c811d6ef98f1214cc517fffd97a04f7b27d75b94ac3ccb170c14edd
    • Opcode Fuzzy Hash: d38674c7dfdcd78d55d2b68318c5766b64e0068d0349eded1daa535802b3ab87
    • Instruction Fuzzy Hash: F1411739600650DFCF10EF19C595B59BBE9EF89314F098089E95A9B762CB34FD00DB92
    Function 009E8883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
    Download Yara Rule
    APIs
    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009E8910
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: InvalidateRect
    • String ID:
    • API String ID: 634782764-0
    • Opcode ID: 27a8f113861fd67eea8582a26ef355528856568b5aea50b019627148116045b7
    • Instruction ID: cc820ed96fb96cabc540250fed1473d332ad3dcf6cbbac133a511a501dca913b
    • Opcode Fuzzy Hash: 27a8f113861fd67eea8582a26ef355528856568b5aea50b019627148116045b7
    • Instruction Fuzzy Hash: 8731F630A00188BFEF228BDACC95BBE3769FB05310F504522FA59E62E2CF30DD409652
    Function 009EAB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
    Download Yara Rule
    APIs
    • ClientToScreen.USER32(?,?), ref: 009EAB92
    • GetWindowRect.USER32(?,?), ref: 009EAC08
    • PtInRect.USER32(?,?,009EC07E), ref: 009EAC18
    • MessageBeep.USER32(00000000), ref: 009EAC89
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Rect$BeepClientMessageScreenWindow
    • String ID:
    • API String ID: 1352109105-0
    • Opcode ID: 8de233077a46b9ab0aeab635c7f6dcf4839f81aee1765634d406bb096167488d
    • Instruction ID: ea12011ce4d95ab546124eb158cf976b6c5de8b46f0309bf210f36d062656ce1
    • Opcode Fuzzy Hash: 8de233077a46b9ab0aeab635c7f6dcf4839f81aee1765634d406bb096167488d
    • Instruction Fuzzy Hash: E3415E30A04599DFCB12CF5AC884B697BF5FB49710F2481A9E4949B271D730FC46DB92
    Function 009C0E07 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
    Download Yara Rule
    APIs
    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 009C0E58
    • SetKeyboardState.USER32(00000080,?,00000001), ref: 009C0E74
    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 009C0EDA
    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 009C0F2C
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: KeyboardState$InputMessagePostSend
    • String ID:
    • API String ID: 432972143-0
    • Opcode ID: 183bf174207f1c52568dca55406b212306b9a9f1c4074950a098902fd957248c
    • Instruction ID: 6c65f88d597ccb91263eb4309ddf1228484044a27690a695f7ba619e2bf18cd8
    • Opcode Fuzzy Hash: 183bf174207f1c52568dca55406b212306b9a9f1c4074950a098902fd957248c
    • Instruction Fuzzy Hash: 3A314430D84218EAFB308A248818FFEBBA9EBC9320F184A1EF190531D1C3758D819763
    Function 009C0F42 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
    Download Yara Rule
    APIs
    • GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 009C0F97
    • SetKeyboardState.USER32(00000080,?,00008000), ref: 009C0FB3
    • PostMessageW.USER32(00000000,00000101,00000000), ref: 009C1012
    • SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 009C1064
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: KeyboardState$InputMessagePostSend
    • String ID:
    • API String ID: 432972143-0
    • Opcode ID: aeb800ca9de55205063a65b97b229585651f4b17fd6eb01558ccebb83270da40
    • Instruction ID: 750d9b4713efaed8f8088474a4b3103fcc7ea58f7a30689716dafa5be5554c53
    • Opcode Fuzzy Hash: aeb800ca9de55205063a65b97b229585651f4b17fd6eb01558ccebb83270da40
    • Instruction Fuzzy Hash: 8E314830D40298DEFF34CA248809FFABB6DAB8A310F04421EF491522D2C3788DD19767
    Function 00996345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0099637B
    • __isleadbyte_l.LIBCMT ref: 009963A9
    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009963D7
    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0099640D
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
    • String ID:
    • API String ID: 3058430110-0
    • Opcode ID: 93b17fde8632476438a491a4c2720027555d7c20dbaa5508d73e5e7e8f2d0e44
    • Instruction ID: 98f1ba237c0fb2c5a8812d4d4711183f40404ea81b3d9049a669b61928711d9c
    • Opcode Fuzzy Hash: 93b17fde8632476438a491a4c2720027555d7c20dbaa5508d73e5e7e8f2d0e44
    • Instruction Fuzzy Hash: E2316F31604286EFDF259F79C886BAA7FA9FF41310F154529E8548B1A1E731D850DB60
    Function 009E4F57 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
    Download Yara Rule
    APIs
    • GetForegroundWindow.USER32 ref: 009E4F6B
      • Part of subcall function 009C3685: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009C369F
      • Part of subcall function 009C3685: GetCurrentThreadId.KERNEL32 ref: 009C36A6
      • Part of subcall function 009C3685: AttachThreadInput.USER32(00000000,?,009C50AC), ref: 009C36AD
    • GetCaretPos.USER32(?), ref: 009E4F7C
    • ClientToScreen.USER32(00000000,?), ref: 009E4FB7
    • GetForegroundWindow.USER32 ref: 009E4FBD
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
    • String ID:
    • API String ID: 2759813231-0
    • Opcode ID: b767c7e86731bdf0a6ff8b68aa07a8ab8de3b2a7f8d12570679e7ee656fa5e7a
    • Instruction ID: e5b126b7f79f2046658241cb6b6a016886194226fec7e52b690a6f3a43bdf987
    • Opcode Fuzzy Hash: b767c7e86731bdf0a6ff8b68aa07a8ab8de3b2a7f8d12570679e7ee656fa5e7a
    • Instruction Fuzzy Hash: 9A313E72D00108AFDB00EFA5C985AEFB7FDEF98304F11806AE505E7251EA759E45CBA1
    Function 009C3C99 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
    Download Yara Rule
    APIs
    • CreateToolhelp32Snapshot.KERNEL32 ref: 009C3CBE
    • Process32FirstW.KERNEL32(00000000,?), ref: 009C3CCC
    • Process32NextW.KERNEL32(00000000,?), ref: 009C3CEC
    • CloseHandle.KERNEL32(00000000), ref: 009C3D96
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
    • String ID:
    • API String ID: 420147892-0
    • Opcode ID: b04c72fcfe762de1b21db81f71da69888713f55f807a2ebffab40c8813e334a5
    • Instruction ID: adaf79e17d6ab0fa6eb29a16b51e91e011bc7596a761345dbafb806cb052ab87
    • Opcode Fuzzy Hash: b04c72fcfe762de1b21db81f71da69888713f55f807a2ebffab40c8813e334a5
    • Instruction Fuzzy Hash: 39319F315083419FC300EF50C895FAFBBE8AFD5344F14492DF482861A1EB70AA49CB93
    Function 009EC502 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623
    • GetCursorPos.USER32(?), ref: 009EC53C
    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0099BB2B,?,?,?,?,?), ref: 009EC551
    • GetCursorPos.USER32(?), ref: 009EC59E
    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0099BB2B,?,?,?), ref: 009EC5D8
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Cursor$LongMenuPopupProcTrackWindow
    • String ID:
    • API String ID: 2864067406-0
    • Opcode ID: d3fb29d687891114967a0687ba251a85f554b64dff7749e5bac41e42cf5de540
    • Instruction ID: 849529a23bac0208c156969817b4e357d9ea3b60c7805f4acf9116bd7cdd7c63
    • Opcode Fuzzy Hash: d3fb29d687891114967a0687ba251a85f554b64dff7749e5bac41e42cf5de540
    • Instruction Fuzzy Hash: 2331F575600558AFCB22CF59C898EFA7BF9FB49310F004065F8458B261CB31AD52EFA0
    Function 00997C6B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 00997C9A
    • WideCharToMultiByte.KERNEL32(?,?,?,00000001,000000FE,?,?,?), ref: 00997CF7
    • GetLastError.KERNEL32(?,?,00000001,000000FE,?,?,?), ref: 00997D13
    • _memset.LIBCMT ref: 00997D29
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _memset$ByteCharErrorLastMultiWide
    • String ID:
    • API String ID: 773584764-0
    • Opcode ID: 9f3df4daa5a0f629f0a5ad4d28e2e9c7a2002b0532e8201271b447773fbe6dc6
    • Instruction ID: bce8794fad343a1ac6e670b83650ddcf8a6809ee72ba8016747e9104ecc89cfa
    • Opcode Fuzzy Hash: 9f3df4daa5a0f629f0a5ad4d28e2e9c7a2002b0532e8201271b447773fbe6dc6
    • Instruction Fuzzy Hash: C721C771628251AFDF315F9AD984BAABB68EF91711F084069FC854A341EF718D00CBB1
    Function 009B897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009B8432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009B8449
      • Part of subcall function 009B8432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009B8453
      • Part of subcall function 009B8432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B8462
      • Part of subcall function 009B8432: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009B8469
      • Part of subcall function 009B8432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009B847F
    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009B89CB
    • _memcmp.LIBCMT ref: 009B89EE
    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B8A24
    • HeapFree.KERNEL32(00000000), ref: 009B8A2B
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
    • String ID:
    • API String ID: 1592001646-0
    • Opcode ID: e67245022a219b278a684b9bda11d544cfb87744dc90c4e275a25cd492857f79
    • Instruction ID: a848e97aaadfc3dfa361de95b0dc86c41ef402646ff53a5ae1ad301cde76efe0
    • Opcode Fuzzy Hash: e67245022a219b278a684b9bda11d544cfb87744dc90c4e275a25cd492857f79
    • Instruction Fuzzy Hash: D5216971E40109EBDB10DFA4CA45BEEB7BCEF49325F15805AE454AB240EB30AA05DF51
    Function 00980B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
    Download Yara Rule
    APIs
    • __setmode.LIBCMT ref: 00980B2E
      • Part of subcall function 00965B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009C793F,?,?,00000000), ref: 00965B8C
      • Part of subcall function 00965B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009C793F,?,?,00000000,?,?), ref: 00965BB0
    • _fprintf.LIBCMT ref: 00980B65
    • OutputDebugStringW.KERNEL32(?), ref: 009B6111
      • Part of subcall function 00984C1A: _flsall.LIBCMT ref: 00984C33
    • __setmode.LIBCMT ref: 00980B9A
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
    • String ID:
    • API String ID: 521402451-0
    • Opcode ID: 4da2a1cf33b2d13042c42f7236353f5ca450c10b2be11aa9bed18bbdc69907f7
    • Instruction ID: b39df01d5b83d2f4a0f6ca037027a3a4a3d04e918b88688fc9a60d6b7cfb5c00
    • Opcode Fuzzy Hash: 4da2a1cf33b2d13042c42f7236353f5ca450c10b2be11aa9bed18bbdc69907f7
    • Instruction Fuzzy Hash: 4911E4329046057ADB04B7B89C42FBE7B6DAFC1320F14002AF114A73D2EE25584647A5
    Function 009D187D Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
    Download Yara Rule
    APIs
    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009D18B9
      • Part of subcall function 009D1943: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009D1962
      • Part of subcall function 009D1943: InternetCloseHandle.WININET(00000000), ref: 009D19FF
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Internet$CloseConnectHandleOpen
    • String ID:
    • API String ID: 1463438336-0
    • Opcode ID: ef61da351fa5d1c3bb6ecc58eaeedcc9c38a3e8bb645f0b72ce7f17e915978a2
    • Instruction ID: 3e50671816939a7e2e88a83f61f3781bd2f9b4e74f55e0716aa893fec2d9a05b
    • Opcode Fuzzy Hash: ef61da351fa5d1c3bb6ecc58eaeedcc9c38a3e8bb645f0b72ce7f17e915978a2
    • Instruction Fuzzy Hash: 7D21A176284605BFEB159F609C20F7AB7ADFF89700F10842BFA1596750DB71D811A790
    Function 009C3A6E Relevance: 6.1, APIs: 4, Instructions: 78COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNEL32(?,009EFAC0), ref: 009C3AA8
    • GetLastError.KERNEL32 ref: 009C3AB7
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 009C3AC6
    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,009EFAC0), ref: 009C3B23
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CreateDirectory$AttributesErrorFileLast
    • String ID:
    • API String ID: 2267087916-0
    • Opcode ID: b8008b3047db26a38428a2e0788f37f724861bf2236cded1da2c67d3098ad916
    • Instruction ID: b436862070068b77a27b0f9010f669a15024db11863485f401dc3590a347b7fb
    • Opcode Fuzzy Hash: b8008b3047db26a38428a2e0788f37f724861bf2236cded1da2c67d3098ad916
    • Instruction Fuzzy Hash: BA2194309082019FC700DF24C990E6AB7E8EF99754F14CA2EF499C72A1DB319E05CB93
    Function 009E5D7A Relevance: 6.1, APIs: 4, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • GetWindowLongW.USER32(?,000000EC), ref: 009E5DE9
    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 009E5E03
    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 009E5E11
    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 009E5E1F
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$Long$AttributesLayered
    • String ID:
    • API String ID: 2169480361-0
    • Opcode ID: 2bb72f69021fed74dd04fe13fd6c277e089087c104407176b52556c9ac866950
    • Instruction ID: 8aa35cb265dca2d691b74a408d0d536739611bb8c5bc49786f2dd89f8433821e
    • Opcode Fuzzy Hash: 2bb72f69021fed74dd04fe13fd6c277e089087c104407176b52556c9ac866950
    • Instruction Fuzzy Hash: 9011D031204950AFDB15AB18CC69FBA779DEF85324F154519F816CB2E1CB74AD40CB94
    Function 00995262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00995281
      • Part of subcall function 0098588C: __FF_MSGBANNER.LIBCMT ref: 009858A3
      • Part of subcall function 0098588C: __NMSG_WRITE.LIBCMT ref: 009858AA
      • Part of subcall function 0098588C: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001,00000000,?,?,?,00980F53,?), ref: 009858CF
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: AllocateHeap_free
    • String ID:
    • API String ID: 614378929-0
    • Opcode ID: 1de1420acdf9105a693fc738bba563e2e7d3c843be308d36bfc589c502032a8e
    • Instruction ID: 72f9d0cecce97304536c482556dec149b5e3c8dbe33c55cfea127a67d5acc80a
    • Opcode Fuzzy Hash: 1de1420acdf9105a693fc738bba563e2e7d3c843be308d36bfc589c502032a8e
    • Instruction Fuzzy Hash: EF112932505A15AFCF323FB8BC0576F3B9CAF813A0B21493AF9549A250DE388D4087A0
    Function 009C3EB6 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 009C3ED6
    • _memset.LIBCMT ref: 009C3EF7
    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 009C3F49
    • CloseHandle.KERNEL32(00000000), ref: 009C3F52
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CloseControlCreateDeviceFileHandle_memset
    • String ID:
    • API String ID: 1157408455-0
    • Opcode ID: e65bb4a98f9c47e5a78f593cf93a1216f9f69277c2bf78b08dcb0e3576d5730c
    • Instruction ID: 399817c8c8db5d1f90403389af3f672aa94e0d6b6ac88221ffed5d2796500e61
    • Opcode Fuzzy Hash: e65bb4a98f9c47e5a78f593cf93a1216f9f69277c2bf78b08dcb0e3576d5730c
    • Instruction Fuzzy Hash: 8B11AB75D01228BAD7309B659C4DFABBB7CEF45760F1085AAF908D7280D6744F40CBA5
    Function 009D647F Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00965B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009C793F,?,?,00000000), ref: 00965B8C
      • Part of subcall function 00965B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009C793F,?,?,00000000,?,?), ref: 00965BB0
    • gethostbyname.WSOCK32(?,?,?), ref: 009D64AF
    • WSAGetLastError.WSOCK32(00000000), ref: 009D64BA
    • _memmove.LIBCMT ref: 009D64E7
    • inet_ntoa.WSOCK32(?), ref: 009D64F2
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
    • String ID:
    • API String ID: 1504782959-0
    • Opcode ID: d9664ecafdc43409cf694f5db0c8f537485bc6f014357039e6e046496c5ba28c
    • Instruction ID: 4310ef2216f46335b7519bc3ddaceadb66486432787e579c31a7eb46924b055e
    • Opcode Fuzzy Hash: d9664ecafdc43409cf694f5db0c8f537485bc6f014357039e6e046496c5ba28c
    • Instruction Fuzzy Hash: 31114231900108AFCB04FBA4DD96EEEB7BCAF84310B148066F506A7262DF31AE14DB61
    Function 009B8E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,000000B0,?,?), ref: 009B8E23
    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B8E35
    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B8E4B
    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009B8E66
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend
    • String ID:
    • API String ID: 3850602802-0
    • Opcode ID: dfd55134cce12b1282c1c9e5be0c256832d289c9ba4464f4f15b1f77a99665e6
    • Instruction ID: 4f07f109255e488d51f662d3ef87c13f69a117b029c5d53aaf6ca54909168bd1
    • Opcode Fuzzy Hash: dfd55134cce12b1282c1c9e5be0c256832d289c9ba4464f4f15b1f77a99665e6
    • Instruction Fuzzy Hash: 8A111879901218FFEB11EFA5C985EDEBBB8FB48710F204095E904B7290DA71AE11DB94
    Function 00961290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00962612: GetWindowLongW.USER32(?,000000EB), ref: 00962623
    • DefDlgProcW.USER32(?,00000020,?), ref: 009612D8
    • GetClientRect.USER32(?,?), ref: 0099B77B
    • GetCursorPos.USER32(?), ref: 0099B785
    • ScreenToClient.USER32(?,?), ref: 0099B790
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Client$CursorLongProcRectScreenWindow
    • String ID:
    • API String ID: 4127811313-0
    • Opcode ID: f854bb0234a3607ebee56f7bb2321bba683e489e10c736d2349500d0baf6bad5
    • Instruction ID: 2a5c74c85c15330faa26fe8b919b7f58c345d0cf43845b5f6464954acae2037a
    • Opcode Fuzzy Hash: f854bb0234a3607ebee56f7bb2321bba683e489e10c736d2349500d0baf6bad5
    • Instruction Fuzzy Hash: 9D113635A10059EFCB10EFA8D8999FE77B8FB45300F404866FA11E7251C730BE559BA5
    Function 00961D35 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
    Download Yara Rule
    APIs
    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00961D73
    • GetStockObject.GDI32(00000011), ref: 00961D87
    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00961D91
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CreateMessageObjectSendStockWindow
    • String ID:
    • API String ID: 3970641297-0
    • Opcode ID: 37bcff029a5428746077dc31ca70f8e54dc59224ea4b8f1d8351a65ec4574f72
    • Instruction ID: f48757cb20dd4dfc365c93ae3667c9558ce170a0453c490b4fa49ef39a4e72b0
    • Opcode Fuzzy Hash: 37bcff029a5428746077dc31ca70f8e54dc59224ea4b8f1d8351a65ec4574f72
    • Instruction Fuzzy Hash: F611D272501658BFEF128F94DCA0EEA7B6EFF08364F080116FA0456060C731DC60EBA0
    Function 009C1473 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
    Download Yara Rule
    APIs
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009C001E,?,009C1071,?,00008000), ref: 009C1490
    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,009C001E,?,009C1071,?,00008000), ref: 009C14B5
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009C001E,?,009C1071,?,00008000), ref: 009C14BF
    • Sleep.KERNEL32(?,?,?,?,?,?,?,009C001E,?,009C1071,?,00008000), ref: 009C14F2
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CounterPerformanceQuerySleep
    • String ID:
    • API String ID: 2875609808-0
    • Opcode ID: 278587f78de6d54cd32c9f0a01a490f4c009e96a2b808779a7fdb2e856e6eef9
    • Instruction ID: 6d29d2113db3a61d3d711307d0bb89a70e995de25c679d3d943f96f2146edbbb
    • Opcode Fuzzy Hash: 278587f78de6d54cd32c9f0a01a490f4c009e96a2b808779a7fdb2e856e6eef9
    • Instruction Fuzzy Hash: 70117C31C0452DDBCF049FA5D998FEEBB78FF0A711F01415AE940B6291CB349960DB9A
    Function 009BDB40 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 009BDB5C
    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009BDB73
    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009BDB88
    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009BDBA6
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Type$Register$FileLoadModuleNameUser
    • String ID:
    • API String ID: 1352324309-0
    • Opcode ID: 68980987ce4f7ece471f0b97f415522dcc0b59ac0fc0a140bc863d5a6c476d0a
    • Instruction ID: a3f48a69c4cb487714a83829ae0828e98b5262eaae2eb0b999a9dbbbaf5cb6bf
    • Opcode Fuzzy Hash: 68980987ce4f7ece471f0b97f415522dcc0b59ac0fc0a140bc863d5a6c476d0a
    • Instruction Fuzzy Hash: 5A11C471206328EBE3208F10DD8CFD7BBBCEF00B10F11896AA556C6090E7B4E954EB61
    Function 00997137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
    • String ID:
    • API String ID: 3016257755-0
    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
    • Instruction ID: 6b876651b8669bde962de6fd909b6cf8ef40a989a3cc0d579a9e3154b52c6b07
    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
    • Instruction Fuzzy Hash: 70015A3206814EBBCF265EC8CC45CEE7F2ABF18394B598415FE5858131DB36C9B1AB81
    Function 009EB2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 009EB318
    • ScreenToClient.USER32(?,?), ref: 009EB330
    • ScreenToClient.USER32(?,?), ref: 009EB354
    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 009EB36F
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ClientRectScreen$InvalidateWindow
    • String ID:
    • API String ID: 357397906-0
    • Opcode ID: 49767159bc74e7c50b975ba12be3a37fc5a74f3963673d08c554ef6dd8ce0f37
    • Instruction ID: 3ab2d61dab58f2a04223515e829edbe62a663a3bb81f3dc29fd0530bcc23dc1c
    • Opcode Fuzzy Hash: 49767159bc74e7c50b975ba12be3a37fc5a74f3963673d08c554ef6dd8ce0f37
    • Instruction Fuzzy Hash: CB1143B9D0424DEFDB41CFA9D8849EEBBB9FB08310F108166E914E3220D735AA559F90
    Function 009EB669 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 009EB678
    • _memset.LIBCMT ref: 009EB687
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00A26F20,00A26F64), ref: 009EB6B6
    • CloseHandle.KERNEL32 ref: 009EB6C8
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _memset$CloseCreateHandleProcess
    • String ID:
    • API String ID: 3277943733-0
    • Opcode ID: bdb14aafd85bd2453d1d83c31888f89b9ac5e619776c5ffaf9d9faad487d0f13
    • Instruction ID: c108f26440bd6b5fe09c6f4892aede3e72071f7c851492a3ca7eefbdb26d079f
    • Opcode Fuzzy Hash: bdb14aafd85bd2453d1d83c31888f89b9ac5e619776c5ffaf9d9faad487d0f13
    • Instruction Fuzzy Hash: 72F089B1641354BAE61067A9BD45F773A9CEB04754F004035BB08D5195D7715C01C7B8
    Function 009C6C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?), ref: 009C6C8F
      • Part of subcall function 009C776D: _memset.LIBCMT ref: 009C77A2
    • _memmove.LIBCMT ref: 009C6CB2
    • _memset.LIBCMT ref: 009C6CBF
    • LeaveCriticalSection.KERNEL32(?), ref: 009C6CCF
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CriticalSection_memset$EnterLeave_memmove
    • String ID:
    • API String ID: 48991266-0
    • Opcode ID: 107782ae11ad41db89394cc4e510289fc0f26aeb5b689cdcfd79d9197910e39c
    • Instruction ID: 111f5e7096f483f9f473bb9bd38165567bf6630a5697ca7280aa29091d41a43d
    • Opcode Fuzzy Hash: 107782ae11ad41db89394cc4e510289fc0f26aeb5b689cdcfd79d9197910e39c
    • Instruction Fuzzy Hash: 44F05E3A604104ABCF016F55DCC6F8ABB2AEF85320F04C065FE089E32AC731A911DBB5
    Function 009EBD86 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009612F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0096134D
      • Part of subcall function 009612F3: SelectObject.GDI32(?,00000000), ref: 0096135C
      • Part of subcall function 009612F3: BeginPath.GDI32(?), ref: 00961373
      • Part of subcall function 009612F3: SelectObject.GDI32(?,00000000), ref: 0096139C
    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 009EBDAA
    • LineTo.GDI32(00000000,?,?), ref: 009EBDB7
    • EndPath.GDI32(00000000), ref: 009EBDC7
    • StrokePath.GDI32(00000000), ref: 009EBDD5
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
    • String ID:
    • API String ID: 1539411459-0
    • Opcode ID: 4001986db4e42f8c5332b1f89b505d1e8a245f58ea00ca6f33a34ac3573ae6b6
    • Instruction ID: c5db776e590c234e77da659c43b0da56c010ae7bee741447cc49b72a2c29c8c4
    • Opcode Fuzzy Hash: 4001986db4e42f8c5332b1f89b505d1e8a245f58ea00ca6f33a34ac3573ae6b6
    • Instruction Fuzzy Hash: BEF08232009699BBDB13AF95EC09FDE3F59BF05311F084111FA10650E287B55A52EF95
    Function 009BA15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
    Download Yara Rule
    APIs
    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 009BA179
    • GetWindowThreadProcessId.USER32(?,00000000), ref: 009BA18C
    • GetCurrentThreadId.KERNEL32 ref: 009BA193
    • AttachThreadInput.USER32(00000000), ref: 009BA19A
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
    • String ID:
    • API String ID: 2710830443-0
    • Opcode ID: f059b49318e72783e2c9748f1c0232fd1e50b9b9c6ebc996e6d6e61373bacce7
    • Instruction ID: 607e23b981e46672385d6cf4cec3ed51133791832b9657eff93efb63cdbd2ae2
    • Opcode Fuzzy Hash: f059b49318e72783e2c9748f1c0232fd1e50b9b9c6ebc996e6d6e61373bacce7
    • Instruction Fuzzy Hash: 73E06D3114926CBBDB201FA2DD4CED73F1CEF26BB1F008026F508880A0C6718940DBB0
    Function 00962218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
    Download Yara Rule
    APIs
    • GetSysColor.USER32(00000008), ref: 00962231
    • SetTextColor.GDI32(?,000000FF), ref: 0096223B
    • SetBkMode.GDI32(?,00000001), ref: 00962250
    • GetStockObject.GDI32(00000005), ref: 00962258
    • GetWindowDC.USER32(?,00000000), ref: 0099C003
    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0099C010
    • GetPixel.GDI32(00000000,?,00000000), ref: 0099C029
    • GetPixel.GDI32(00000000,00000000,?), ref: 0099C042
    • GetPixel.GDI32(00000000,?,?), ref: 0099C062
    • ReleaseDC.USER32(?,00000000), ref: 0099C06D
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
    • String ID:
    • API String ID: 1946975507-0
    • Opcode ID: ec37a7c7534d8941c1b8591fb5b22d9496ccf548aa19b7a4b891299bfb0410c3
    • Instruction ID: 315fb7d3b7b126c4f1d2845887e3aa60365cdd3ceba6881bd9e71532b49fb1f7
    • Opcode Fuzzy Hash: ec37a7c7534d8941c1b8591fb5b22d9496ccf548aa19b7a4b891299bfb0410c3
    • Instruction Fuzzy Hash: 15E03031518184EAEF215F68FC5D7D83B24EB55336F008367FA69580E187724A94EB11
    Function 009B8A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThread.KERNEL32 ref: 009B8A43
    • OpenThreadToken.ADVAPI32(00000000,?,?,?,009B860E), ref: 009B8A4A
    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009B860E), ref: 009B8A57
    • OpenProcessToken.ADVAPI32(00000000,?,?,?,009B860E), ref: 009B8A5E
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CurrentOpenProcessThreadToken
    • String ID:
    • API String ID: 3974789173-0
    • Opcode ID: 65b9be1a84873d1549864205b1cb2c1dda09233eb7c193515601290670890e9f
    • Instruction ID: 68bc62722923ba2a5eb30799f14954d6510c40a9f9a964c24ed3a7e43996c388
    • Opcode Fuzzy Hash: 65b9be1a84873d1549864205b1cb2c1dda09233eb7c193515601290670890e9f
    • Instruction Fuzzy Hash: 28E02672616210DFD7205FB06D0CB873BACEF547A2F004829B241DD040DA308945D710
    Function 009A20B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
    Download Yara Rule
    APIs
    • GetDesktopWindow.USER32 ref: 009A20B6
    • GetDC.USER32(00000000), ref: 009A20C0
    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 009A20E0
    • ReleaseDC.USER32(?), ref: 009A2101
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CapsDesktopDeviceReleaseWindow
    • String ID:
    • API String ID: 2889604237-0
    • Opcode ID: b4ef88831e3ead30c22ee0dd793a2c5c338e8ca2a12f9fd1e1a864d761296cee
    • Instruction ID: 7ce023cb6c45d371ca7fc3c10e9c18d8effda3de85c12ff73c46b5090912d2d3
    • Opcode Fuzzy Hash: b4ef88831e3ead30c22ee0dd793a2c5c338e8ca2a12f9fd1e1a864d761296cee
    • Instruction Fuzzy Hash: 98E0E5B5814208EFDF019FA0C8586AD7BF5EB4C711F11C426F85A9B220CB388941AF40
    Function 009A20CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • GetDesktopWindow.USER32 ref: 009A20CA
    • GetDC.USER32(00000000), ref: 009A20D4
    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 009A20E0
    • ReleaseDC.USER32(?), ref: 009A2101
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CapsDesktopDeviceReleaseWindow
    • String ID:
    • API String ID: 2889604237-0
    • Opcode ID: 9c0a309c3d2dd92280b43558c19bfac89942004a3e241330a752f8b062521344
    • Instruction ID: a9ac51c648ff975ee3d968c3a962933ae0a7e8aab311d972e26d5a8077557117
    • Opcode Fuzzy Hash: 9c0a309c3d2dd92280b43558c19bfac89942004a3e241330a752f8b062521344
    • Instruction Fuzzy Hash: 5AE01AB5814208EFDF019FB0C85869D7BF5FB4C711F10C426F95A9B220CB389941AF40
    Function 009BB5B5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
    Download Yara Rule
    APIs
    • OleSetContainedObject.OLE32(?,00000001), ref: 009BB780
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ContainedObject
    • String ID: AutoIt3GUI$Container
    • API String ID: 3565006973-3941886329
    • Opcode ID: c8485283a1349f2161aeadfc260bf024c6e1476c5987012bfd590cb7ebcc30b2
    • Instruction ID: 0620aee07bc1faa2dbe0c4b1808a63a49fe3c9931b6fe8b77ab044eff750cdac
    • Opcode Fuzzy Hash: c8485283a1349f2161aeadfc260bf024c6e1476c5987012bfd590cb7ebcc30b2
    • Instruction Fuzzy Hash: 67914870604601AFDB14DF64C994BAABBF9FF48720F10856DF94ACB691DBB0E840CB50
    Function 009CB038 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0097FE06: _wcscpy.LIBCMT ref: 0097FE29
      • Part of subcall function 00969997: __itow.LIBCMT ref: 009699C2
      • Part of subcall function 00969997: __swprintf.LIBCMT ref: 00969A0C
    • __wcsnicmp.LIBCMT ref: 009CB0B9
    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 009CB182
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
    • String ID: LPT
    • API String ID: 3222508074-1350329615
    • Opcode ID: b6388a3c778ab918885c6b196da4e9f674f1d44a8a8a35ad5b3d5e221b4a1780
    • Instruction ID: 50976579499364ababb2f4e7d6e9bf45087fc88f8756c2a2ae6d918fc4358878
    • Opcode Fuzzy Hash: b6388a3c778ab918885c6b196da4e9f674f1d44a8a8a35ad5b3d5e221b4a1780
    • Instruction Fuzzy Hash: 69618075E04215AFCB14DF98C892FAEB7B8AF48310F14445DF556AB391DB34AE40CB91
    Function 00972AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(00000000), ref: 00972AC8
    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00972AE1
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: GlobalMemorySleepStatus
    • String ID: @
    • API String ID: 2783356886-2766056989
    • Opcode ID: 3ab7ec3102c8cfd5a109ff90673005533f4037aba70e7b36838b864b0cb73026
    • Instruction ID: e27f57986e3cbf3ead16784552f72bccd346fae5fecf6acb515dfa1e80f351bf
    • Opcode Fuzzy Hash: 3ab7ec3102c8cfd5a109ff90673005533f4037aba70e7b36838b864b0cb73026
    • Instruction Fuzzy Hash: F05136724187489BD320EF60D886BABBBECFBC4314F41885DF2D9511A1DB308529CB66
    Function 009C97DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0096506B: __fread_nolock.LIBCMT ref: 00965089
    • _wcscmp.LIBCMT ref: 009C98CD
    • _wcscmp.LIBCMT ref: 009C98E0
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: _wcscmp$__fread_nolock
    • String ID: FILE
    • API String ID: 4029003684-3121273764
    • Opcode ID: 6adafe7fb338828701fd30e92bd57b088337ad1decb5364cf8a1c3ad6c27be1a
    • Instruction ID: b15d4293642462429c1fdea8026432ce68754c8759ba641a05d639d2c2c312b6
    • Opcode Fuzzy Hash: 6adafe7fb338828701fd30e92bd57b088337ad1decb5364cf8a1c3ad6c27be1a
    • Instruction Fuzzy Hash: ED41F871A00609BADF209BA4CC8AFEF77BDEF85710F01046DB904A7181DA759D0587A1
    Function 009D26A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 009D26B4
    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009D26EA
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CrackInternet_memset
    • String ID: |
    • API String ID: 1413715105-2343686810
    • Opcode ID: 759d53bfedd3b89103ebb98fe35962f95ef8deafb9574c91efc2c4bf7a63784e
    • Instruction ID: dcb8f26e031f451967d8ad159f0fc17dcb3c5433b4b9746d17f522b2257e96af
    • Opcode Fuzzy Hash: 759d53bfedd3b89103ebb98fe35962f95ef8deafb9574c91efc2c4bf7a63784e
    • Instruction Fuzzy Hash: 32313A71800119AFCF11EFA0CC85EEEBFB9FF58314F10406AF819A6266DB315A56DB60
    Function 009E7AA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 009E7B93
    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009E7BA8
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: '
    • API String ID: 3850602802-1997036262
    • Opcode ID: b08ead25d7c8ec22be8a6ba71c50aedeb36ff8944840ce3b022b67034462590c
    • Instruction ID: 03cf9560f62ced7ecd93427c0e5ce1d86987ab4e8cba7aa8ae5f2750c1380bc4
    • Opcode Fuzzy Hash: b08ead25d7c8ec22be8a6ba71c50aedeb36ff8944840ce3b022b67034462590c
    • Instruction Fuzzy Hash: 7A410874A05349AFDB15CFA9D881BEABBB9FB09300F14056AE904EB391D770AD41CF91
    Function 009E6A95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
    Download Yara Rule
    APIs
    • DestroyWindow.USER32(?,?,?,?), ref: 009E6B49
    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009E6B85
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$DestroyMove
    • String ID: static
    • API String ID: 2139405536-2160076837
    • Opcode ID: 802a4bac25e2351479dda976de1305bc37d11926add3b0a0a7817706ffbf55dc
    • Instruction ID: 2013bb97358def16d5ac6835f71f82558b61f4f9a0d6ccaa78b579d8e1501e4f
    • Opcode Fuzzy Hash: 802a4bac25e2351479dda976de1305bc37d11926add3b0a0a7817706ffbf55dc
    • Instruction Fuzzy Hash: 4031BC71100644AAEB11CF69CC80BFB73ADFF88760F048629F8A5D7190DB30AC81D760
    Function 009C2B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 009C2C09
    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009C2C44
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: InfoItemMenu_memset
    • String ID: 0
    • API String ID: 2223754486-4108050209
    • Opcode ID: 96fdb9c9bea8ba0e7d436f418919eb54337bb05be06c7b966eb8a0c95b8d66ed
    • Instruction ID: 681c8cbda17ef4daedc43109eed73c44d641fecc67a6d68ecf228184a6315680
    • Opcode Fuzzy Hash: 96fdb9c9bea8ba0e7d436f418919eb54337bb05be06c7b966eb8a0c95b8d66ed
    • Instruction Fuzzy Hash: C931D131E443099BDB349F58D985FAEBBB8FB46350F14406DE9C5A61A0D7709A44CB12
    Function 009D3AFF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
    Download Yara Rule
    APIs
    • __snwprintf.LIBCMT ref: 009D3B7C
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: __snwprintf_memmove
    • String ID: , $$AUTOITCALLVARIABLE%d
    • API String ID: 3506404897-2584243854
    • Opcode ID: 0955420b51eb3eddf46078443754dc6977f375814555c02cada26fe594014470
    • Instruction ID: 80ac91d77a284aaa14468765208ab2ef39c9a4d31995a74a08983f3ac0ee43e9
    • Opcode Fuzzy Hash: 0955420b51eb3eddf46078443754dc6977f375814555c02cada26fe594014470
    • Instruction Fuzzy Hash: D0216631A40119ABCF11EFA4CC92FADB7A5BF84700F408496F405AB241DA39EE55CBA2
    Function 009E6706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009E6793
    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E679E
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: Combobox
    • API String ID: 3850602802-2096851135
    • Opcode ID: 8e7cd478f5f046f27170408390d62db2a9a398bb21603c280c5a6d46cfd8e5c7
    • Instruction ID: 28440186a60b56da22ccb4b30f57fb8a8b6fc4e20ecfbd0c893f19e202eea96a
    • Opcode Fuzzy Hash: 8e7cd478f5f046f27170408390d62db2a9a398bb21603c280c5a6d46cfd8e5c7
    • Instruction Fuzzy Hash: 611182756002487FEF22DF65CC90EBB376EEB983A8F104529F91497290D6329C5187A0
    Function 009E6C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00961D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00961D73
      • Part of subcall function 00961D35: GetStockObject.GDI32(00000011), ref: 00961D87
      • Part of subcall function 00961D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00961D91
    • GetWindowRect.USER32(00000000,?), ref: 009E6CA3
    • GetSysColor.USER32(00000012), ref: 009E6CBD
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Window$ColorCreateMessageObjectRectSendStock
    • String ID: static
    • API String ID: 1983116058-2160076837
    • Opcode ID: 9bccf9d5fbbb905a395861e43982c24f61413c0bd04222b90b53b62df41d8ecb
    • Instruction ID: 86f8354956eec17037e87dafef99f7e76dc4ff5d7253f1037077c94591882eb2
    • Opcode Fuzzy Hash: 9bccf9d5fbbb905a395861e43982c24f61413c0bd04222b90b53b62df41d8ecb
    • Instruction Fuzzy Hash: 50218972510209AFDB05DFA8CC45AFA7BB8FB48314F104629FA85D2240D635E850DB50
    Function 009E6952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
    Download Yara Rule
    APIs
    • GetWindowTextLengthW.USER32(00000000), ref: 009E69D4
    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009E69E3
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: LengthMessageSendTextWindow
    • String ID: edit
    • API String ID: 2978978980-2167791130
    • Opcode ID: dd6de80a047a2746d295f542a972fbd554f968444d59218db759581ecaa59cf0
    • Instruction ID: aee299b1d0a4db39367df21c7446c3ea3ed66f3c088247595a69da5813babc92
    • Opcode Fuzzy Hash: dd6de80a047a2746d295f542a972fbd554f968444d59218db759581ecaa59cf0
    • Instruction Fuzzy Hash: A6119D71500184ABEB128F759C90ABB3B6DEB653B8F104724F9A0971D1C731AC819760
    Function 009C2CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 009C2D1A
    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 009C2D39
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: InfoItemMenu_memset
    • String ID: 0
    • API String ID: 2223754486-4108050209
    • Opcode ID: 6fcecf9f3d556debf5dc25b66d5dd488010f6d410ddea7dfcee01552b250548d
    • Instruction ID: efe75592345729a8cde47efb16b092a7ddfbede468928d54dc4ade3076521338
    • Opcode Fuzzy Hash: 6fcecf9f3d556debf5dc25b66d5dd488010f6d410ddea7dfcee01552b250548d
    • Instruction Fuzzy Hash: EA11B231D01214ABDB21DBACD884FAD77ADAB25310F144169FC56AB2E0D770AE06D7A2
    Function 009D22EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
    Download Yara Rule
    APIs
    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009D2342
    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009D236B
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Internet$OpenOption
    • String ID: <local>
    • API String ID: 942729171-4266983199
    • Opcode ID: 37e246a40bb354f9934021fc804e6c5d95ed6cb15f4ad5f847667192488a2604
    • Instruction ID: 2d1bc83b10e362397914442eb833e63eff3a213bcafdf2763cfe96551b9526db
    • Opcode Fuzzy Hash: 37e246a40bb354f9934021fc804e6c5d95ed6cb15f4ad5f847667192488a2604
    • Instruction Fuzzy Hash: B111E070181265BADB288F518C84EFBFB6CFF25B51F10C52BF94556200E2786981D6F0
    Function 009D7EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009D810B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,009D7EC8,?,00000000,?,?), ref: 009D8122
    • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009D7ECB
    • htons.WSOCK32(00000000,?,00000000), ref: 009D7F08
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ByteCharMultiWidehtonsinet_addr
    • String ID: 255.255.255.255
    • API String ID: 2496851823-2422070025
    • Opcode ID: 29aa74edde3e6663431e812f037d7f29a5afcf0e6fe5144820ff60abaf79c9f8
    • Instruction ID: 805209121fbe6e66a550f61c3d9c20d79c847323dae4348751562c5f4ceff908
    • Opcode Fuzzy Hash: 29aa74edde3e6663431e812f037d7f29a5afcf0e6fe5144820ff60abaf79c9f8
    • Instruction Fuzzy Hash: C611A535548215ABDB20AF98DC96FEEF364EF44320F10891BF911973D1EA71A8118751
    Function 009B90C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
      • Part of subcall function 009BAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 009BAEC7
    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009B9135
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ClassMessageNameSend_memmove
    • String ID: ComboBox$ListBox
    • API String ID: 372448540-1403004172
    • Opcode ID: 32cafa760f13e94c1067682e3726827d9f17ae03f3b77e27c947cbeb3a282734
    • Instruction ID: e333d4404293dfb1edc98b11125065bf3c696fc4029acc7d5563f44671500978
    • Opcode Fuzzy Hash: 32cafa760f13e94c1067682e3726827d9f17ae03f3b77e27c947cbeb3a282734
    • Instruction Fuzzy Hash: D7012431659219ABCB04FBA8CD95EFE7369FF46330B100A59F872573C2DE3559089620
    Function 009C8E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: __fread_nolock_memmove
    • String ID: EA06
    • API String ID: 1988441806-3962188686
    • Opcode ID: bba849d4f016baa7db7d58ee149822a4aca070b411e0762990e02ee71f3de10e
    • Instruction ID: 35f16ac18c874c69c7b97e6e673c0dee6ed8ff1095d995096b17940a13381c64
    • Opcode Fuzzy Hash: bba849d4f016baa7db7d58ee149822a4aca070b411e0762990e02ee71f3de10e
    • Instruction Fuzzy Hash: 8501B971D042187EDB28D6A8C856FEE7BF89B15701F00459EF552D2281E9B5A6088760
    Function 009B8FBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
      • Part of subcall function 009BAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 009BAEC7
    • SendMessageW.USER32(?,00000180,00000000,?), ref: 009B902D
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ClassMessageNameSend_memmove
    • String ID: ComboBox$ListBox
    • API String ID: 372448540-1403004172
    • Opcode ID: 1407e4aa2544df497d7d03c6e488869942983b59e40ed68ca78a051c045e7aa4
    • Instruction ID: dec220c12f527ae2a6eef40fec3373921c0373420e20e52aa2c3e438225deda8
    • Opcode Fuzzy Hash: 1407e4aa2544df497d7d03c6e488869942983b59e40ed68ca78a051c045e7aa4
    • Instruction Fuzzy Hash: 3001A771A55108BBCB14E7A4CEA6EFFB3ACDF45350F140059B90267282DE255E089671
    Function 009B9044 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00967F41: _memmove.LIBCMT ref: 00967F82
      • Part of subcall function 009BAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 009BAEC7
    • SendMessageW.USER32(?,00000182,?,00000000), ref: 009B90B0
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ClassMessageNameSend_memmove
    • String ID: ComboBox$ListBox
    • API String ID: 372448540-1403004172
    • Opcode ID: 791d273054c8acb0a85c01eaba18a6ebadbefda04947b43f5317cbec7b7e09fd
    • Instruction ID: 31a36054b6f2029bb00b87b218af2a568edc976521b5a83120e5624ad1e01620
    • Opcode Fuzzy Hash: 791d273054c8acb0a85c01eaba18a6ebadbefda04947b43f5317cbec7b7e09fd
    • Instruction Fuzzy Hash: C801D671A551087BCB00F7A4CE92FFEB3ACDF05310F240015790267282DA259F089272
    Function 009C4FCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: ClassName_wcscmp
    • String ID: #32770
    • API String ID: 2292705959-463685578
    • Opcode ID: f0f3881972ea81719f287888999c0493373a8dd53185ae67a9f2a494785f9363
    • Instruction ID: 1633af3cade4cb9b6aefdb092ef0a3134b1953839a69caf4a30f2aeb1bc06b1d
    • Opcode Fuzzy Hash: f0f3881972ea81719f287888999c0493373a8dd53185ae67a9f2a494785f9363
    • Instruction Fuzzy Hash: 25E0D13250422927D720D7999C45FE7F7ACEB45770F010167FD04D7151D5719A4687D1
    Function 0099B441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0099B494: _memset.LIBCMT ref: 0099B4A1
      • Part of subcall function 00980AC0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0099B470,?,?,?,0096100A), ref: 00980AC5
    • IsDebuggerPresent.KERNEL32(?,?,?,0096100A), ref: 0099B474
    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0096100A), ref: 0099B483
    Strings
    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0099B47E
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
    • API String ID: 3158253471-631824599
    • Opcode ID: 1cf7a54c97e60bef16fcd10ba4131139055d6af13305405cc8e8f641dcc00d8e
    • Instruction ID: 9de9cd2c5f51f7613752f688979dbc294086ae2013c5c86285186b53a8f468de
    • Opcode Fuzzy Hash: 1cf7a54c97e60bef16fcd10ba4131139055d6af13305405cc8e8f641dcc00d8e
    • Instruction Fuzzy Hash: D1E06D702047418BDB30DF29E5487427BE4AF40744F01892DE456C6392E7B8D848DBA1
    Function 009A1C8E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
    Download Yara Rule
    APIs
    • GetSystemDirectoryW.KERNEL32(?), ref: 009A1ACE
      • Part of subcall function 009DC104: LoadLibraryA.KERNEL32(kernel32.dll,?,009A1CB7,?), ref: 009DC112
      • Part of subcall function 009DC104: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 009DC124
    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 009A1CC6
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Library$AddressDirectoryFreeLoadProcSystem
    • String ID: WIN_XPe
    • API String ID: 582185067-3257408948
    • Opcode ID: 967cbc9c4a4f23dfcbfd07e088c06ce4f291c96c928f77696fcb772e3df525f0
    • Instruction ID: 9651ae38f24efc4a51b3e63cd05043b008371b5b05698cd99e71347f8e8056ee
    • Opcode Fuzzy Hash: 967cbc9c4a4f23dfcbfd07e088c06ce4f291c96c928f77696fcb772e3df525f0
    • Instruction Fuzzy Hash: 0CF0EDB081A119DFCB15DB95CA94BECBBF8EB49304F140496F102A6591C7794F45DFA0
    Function 009C998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
    Download Yara Rule
    APIs
    • GetTempPathW.KERNEL32(00000104,?), ref: 009C99A1
    • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 009C99B8
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: Temp$FileNamePath
    • String ID: aut
    • API String ID: 3285503233-3010740371
    • Opcode ID: d2fa203af8901b02265df7b3d4788611d08de86ea42c1366c8e685cf133d63e4
    • Instruction ID: 4819b7a62da04a4e3f9509ca2f756ae8b4a0514855262d445f2b4bf6aa8606f6
    • Opcode Fuzzy Hash: d2fa203af8901b02265df7b3d4788611d08de86ea42c1366c8e685cf133d63e4
    • Instruction Fuzzy Hash: 84D05E7954430DBBDB509BA4DC8EFDA773CE704700F0006B2BBA4991A1EAB099989B91
    Function 009E59CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
    Download Yara Rule
    APIs
    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E59D7
    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009E59EA
      • Part of subcall function 009C52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C5363
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: FindMessagePostSleepWindow
    • String ID: Shell_TrayWnd
    • API String ID: 529655941-2988720461
    • Opcode ID: 2ed2e61e0201b22432679f32869e25f8075bd3881e2b0a60438fa41a38afc277
    • Instruction ID: a756c4151d36516539d4f7b7902b96239ed5043a81a61ae265f7802d42dfef4d
    • Opcode Fuzzy Hash: 2ed2e61e0201b22432679f32869e25f8075bd3881e2b0a60438fa41a38afc277
    • Instruction Fuzzy Hash: 9AD0A931398300B7E664AB309C9BFE22A10BB80B50F00082AB216AA0D0C8E0A8408610
    Function 009E5A01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
    Download Yara Rule
    APIs
    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E5A17
    • PostMessageW.USER32(00000000), ref: 009E5A1E
      • Part of subcall function 009C52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009C5363
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2522322077.0000000000961000.00000020.00000001.01000000.00000004.sdmp, Offset: 00960000, based on PE: true
    • Associated: 00000005.00000002.2522273168.0000000000960000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.00000000009EF000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522485216.0000000000A14000.00000002.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522627819.0000000000A1E000.00000004.00000001.01000000.00000004.sdmpDownload File
    • Associated: 00000005.00000002.2522695318.0000000000A27000.00000002.00000001.01000000.00000004.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_960000_file.jbxd
    Similarity
    • API ID: FindMessagePostSleepWindow
    • String ID: Shell_TrayWnd
    • API String ID: 529655941-2988720461
    • Opcode ID: 04ac12bad73a7f72e1912fdb0ff49437c8e3dbe21ed0a861f1ea634af5ac9e59
    • Instruction ID: 48557e977f950687811b71f4724a4f56c3296329a78907f542f95ea835b7c8be
    • Opcode Fuzzy Hash: 04ac12bad73a7f72e1912fdb0ff49437c8e3dbe21ed0a861f1ea634af5ac9e59
    • Instruction Fuzzy Hash: 15D0A9313843007BE664AB309C8BFD22A10BB80B50F00082AB212AA0D0C8E0A8408614