Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522736
MD5:	7b793a4247b701bd24c86920b237acd0
SHA1:	2ae32267f8cfcc4b602b7de555d91ddd82eb4d09
SHA256:	d4eb98701bc0c33b5f9c3e202bf55c1b2e2cb1c1e4b7c81ad6305d7938d0f959
Tags:	exeuser-jstrosch
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Abnormal high CPU Usage

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7596 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7B793A4247B701BD24C86920B237ACD0)

cleanup

Code function: 0_2_00C0407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C0407C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C0427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C0427A

Source: C:\Users\user\Desktop\file.exe

0_2_00C0407C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BF003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00BF003A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C1CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00C1CB26

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\file.exe	File deleted: C:\Users\user\Desktop\TQDGENUHWP\UMMBDNEQBN.png	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File deleted: C:\Users\user\Desktop\AFWAAFRXKO\TQDGENUHWP.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File deleted: C:\Users\user\Desktop\HTAGVDFUIE.mp3	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File deleted: C:\Users\user\Desktop\TQDGENUHWP.docx	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File deleted: C:\Users\user\Desktop\TQDGENUHWP\NHPKIZUUSG.xlsx	Jump to behavior

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\file.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00B93B4C
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000003.1374231232.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ea2c1207-d
Source: file.exe, 00000000.00000003.1374231232.0000000003B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_8fbf2c03-e
Source: file.exe, 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6742bde8-0
Source: file.exe, 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_1ddca0a1-c
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7bd1baaf-a
Source: file.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_c756ca74-2

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BFA279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00BFA279

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BE8638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00BE8638

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BF5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00BF5264

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9E060	0_2_00B9E060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9E800	0_2_00B9E800
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9FE40	0_2_00B9FE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA4140	0_2_00BA4140
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB2345	0_2_00BB2345
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C10465	0_2_00C10465
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC6452	0_2_00BC6452
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC25AE	0_2_00BC25AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB277A	0_2_00BB277A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C108E2	0_2_00C108E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA6841	0_2_00BA6841
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC69C4	0_2_00BC69C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF8932	0_2_00BF8932
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BEE928	0_2_00BEE928
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC890F	0_2_00BC890F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA8968	0_2_00BA8968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBCCA1	0_2_00BBCCA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC6F36	0_2_00BC6F36
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA70FE	0_2_00BA70FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA3190	0_2_00BA3190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B91287	0_2_00B91287
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB3307	0_2_00BB3307
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBF359	0_2_00BBF359
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA5680	0_2_00BA5680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1604	0_2_00BB1604
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA58C0	0_2_00BA58C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB7813	0_2_00BB7813
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1AF8	0_2_00BB1AF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBDAF5	0_2_00BBDAF5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC9C35	0_2_00BC9C35
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C17E0D	0_2_00C17E0D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBBF26	0_2_00BBBF26
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1F10	0_2_00BB1F10

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B97F41 appears 35 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00BB8A80 appears 42 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00BB0C63 appears 70 times

Source: file.exe, 00000000.00000002.3818015386.000000000349E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEw vs file.exe
Source: file.exe, 00000000.00000002.3817592143.0000000001384000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEa vs file.exe
Source: file.exe, 00000000.00000002.3817592143.0000000001384000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameV vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.rans.evad.winEXE@1/37@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BFA0F4 GetLastError,FormatMessageW,

0_2_00BFA0F4

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE84F3 AdjustTokenPrivileges,CloseHandle,		0_2_00BE84F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BE8AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00BE8AA3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BFB3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00BFB3BF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C0EF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C0EF21

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C084D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00C084D0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B94FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B94FE9

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\Desktop\rabbit_396521084417386.decrypt

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C0C104 LoadLibraryA,GetProcAddress,

0_2_00C0C104

Source: file.exe

Static PE information: real checksum: 0x1027d4 should be: 0xfa552

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB8AC5 push ecx; ret

0_2_00BB8AD8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00B94A35
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C153DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00C153DF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB3307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00BB3307

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-98693

Source: C:\Users\user\Desktop\file.exe

API coverage: 4.8 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00BF449B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFC75D FindFirstFileW,FindClose,	0_2_00BFC75D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BF3B56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFBD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00BFBD48
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFC7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00BFC7E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFF021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BFF021
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFF17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BFF17E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00BFF47F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BF3833

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B94AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B94AFE

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node			graph_0-97408
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node			graph_0-97518

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C0401F BlockInput,

0_2_00C0401F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B93B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B93B4C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC5BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00BC5BFC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C0C104 LoadLibraryA,GetProcAddress,

0_2_00C0C104

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BE81D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00BE81D4

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBA2A4 SetUnhandledExceptionFilter,		0_2_00BBA2A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00BBA2D5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BE8A73 LogonUserW,

0_2_00BE8A73

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B93B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B93B4C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00B94A35

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BF4CFA mouse_event,

0_2_00BF4CFA

Source: C:\Users\user\Desktop\file.exe

0_2_00BE81D4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BF4A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00BF4A08

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB87AB cpuid

0_2_00BB87AB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC5007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00BC5007

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BD215F GetUserNameW,

0_2_00BD215F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC40BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00BC40BA

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B94AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B94AFE

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe, 00000000.00000002.3817592143.0000000001384000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C06399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00C06399
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C0685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00C0685D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	1 Replication Through Removable Media	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Process Injection	1 Masquerading	LSA Secrets	16 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	3 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	79%	ReversingLabs	Win32.Ransomware.Killrabbit
file.exe	100%	Avira	HEUR/AGEN.1319519
file.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Reputation
http://rektware16.temp.swtest.ru/	file.exe, 00000000.00000002.3817942430.000000000161E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3817750995.000000000150B000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://rektware16.temp.swtest.ru/A	file.exe, 00000000.00000002.3817942430.000000000161E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.wysiwygwebbuilder.com	file.exe, 00000000.00000002.3817942430.000000000161E000.00000004.00000020.00020000.00000000.sdmp, ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-authorization].php.0.dr, ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-cabinet].php.0.dr	false	unknown
http://rektware16.temp.swtest.ru/ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_	file.exe, 00000000.00000003.1375348438.00000000038A1000.00000004.00000020.00020000.00000000.sdmp, ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-authorization].php.0.dr	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522736
Start date and time:	2024-09-30 16:12:52 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal68.rans.evad.winEXE@1/37@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 70 Number of non-executed functions: 273
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
10:14:19	API Interceptor	43x Sleep call for process: file.exe modified

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.8270673234949
Encrypted:	false
SSDEEP:	24:nUAD0zsLwIlCkA/4B9D35sGQ7OMYiwZ9hJFW2Mv3iPKlVau471+rRwfO5a8n:UUPLwaC1S5Q7OMYiwZ9hnWsAVau4uRSi
MD5:	BC7D1DAD9E66B6E0FC1F4C8E2B2C0976
SHA1:	D2DC65341B88E3C807EB992A29798038073DCE34
SHA-256:	81D960517D7AFA44742B114CD63EE769115FC7138D33C210999AB850C859B992
SHA-512:	0A045F787941443E91B9250B63122E14E73F6B4201769ED758865346A85D55D6A1B107F7B46034307809A754E0021A99A6CC94EABA643C47F3A0C3A585A76B3D
Malicious:	false
Reputation:	low
Preview:	......g.u.,x....nT.%..;xU.R;}.~.;M<..........H/J.U(......F.M,.4..k_.W...mX>b...E0/......k.A.^.$..j. l.....oQ...(.W..0.6.)$......&.......3L"....q....G3....5....;..q.....4..y:..\|.@....F...;C........C.^..Eh.r.\N.......m3I.\(..q=T}....?..\|.}.78JZ.zM.!%A.o....I... )...-.....".Ei.....#..b...FE.........h}r..rQh..R.`...>..<B8....tc.w.M..R.q..y.g....4ha.....`...ra..np. ..."..e..m.pOni..Fx...F.I{C.'5#i.)4.k...""....Y8n..,.zL..u.....8YZTv.w.....V...k.Z7..v.._.E...f..].E...=5N.]Kc..v....N^....T.P..8.:..t..:.G....V@....<.g'..1.F9@....m...B..B..i.8T..:p...8/..hJ3.d\|G1......8[.TZ...uU@.5...&...d..@...-..%uP..&@.:.of....0.%......Im...;........8...93f.I..j..g.s.P./L,O..\|.......$....,.,.....q.V.!J)._.b.B..(.*. E{..g8.h:......E.+'.`...$..]..x.d...Ba/...Q..C.g9j........2.r.g....~#0H.#.k.,.L;B+.d..C....{.......A.i.Y.G.g.S.9.Q..E.[.C. F.[o5+.+6.?b.Wc~T.B.>.g.iqje.Do..E/ e{..D..E...#-.S..I:......}2.E,....1....w....5..}..T...>..`.T=....=....8.kH...v

C:\Users\user\Desktop\AFWAAFRXKO\AFWAAFRXKO.docx.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.8270673234949
Encrypted:	false
SSDEEP:	24:nUAD0zsLwIlCkA/4B9D35sGQ7OMYiwZ9hJFW2Mv3iPKlVau471+rRwfO5a8n:UUPLwaC1S5Q7OMYiwZ9hnWsAVau4uRSi
MD5:	BC7D1DAD9E66B6E0FC1F4C8E2B2C0976
SHA1:	D2DC65341B88E3C807EB992A29798038073DCE34
SHA-256:	81D960517D7AFA44742B114CD63EE769115FC7138D33C210999AB850C859B992
SHA-512:	0A045F787941443E91B9250B63122E14E73F6B4201769ED758865346A85D55D6A1B107F7B46034307809A754E0021A99A6CC94EABA643C47F3A0C3A585A76B3D
Malicious:	false
Reputation:	low
Preview:	......g.u.,x....nT.%..;xU.R;}.~.;M<..........H/J.U(......F.M,.4..k_.W...mX>b...E0/......k.A.^.$..j. l.....oQ...(.W..0.6.)$......&.......3L"....q....G3....5....;..q.....4..y:..\|.@....F...;C........C.^..Eh.r.\N.......m3I.\(..q=T}....?..\|.}.78JZ.zM.!%A.o....I... )...-.....".Ei.....#..b...FE.........h}r..rQh..R.`...>..<B8....tc.w.M..R.q..y.g....4ha.....`...ra..np. ..."..e..m.pOni..Fx...F.I{C.'5#i.)4.k...""....Y8n..,.zL..u.....8YZTv.w.....V...k.Z7..v.._.E...f..].E...=5N.]Kc..v....N^....T.P..8.:..t..:.G....V@....<.g'..1.F9@....m...B..B..i.8T..:p...8/..hJ3.d\|G1......8[.TZ...uU@.5...&...d..@...-..%uP..&@.:.of....0.%......Im...;........8...93f.I..j..g.s.P./L,O..\|.......$....,.,.....q.V.!J)._.b.B..(.*. E{..g8.h:......E.+'.`...$..]..x.d...Ba/...Q..C.g9j........2.r.g....~#0H.#.k.,.L;B+.d..C....{.......A.i.Y.G.g.S.9.Q..E.[.C. F.[o5+.+6.?b.Wc~T.B.>.g.iqje.Do..E/ e{..D..E...#-.S..I:......}2.E,....1....w....5..}..T...>..`.T=....=....8.kH...v

C:\Users\user\Desktop\AFWAAFRXKO\AIXACVYBSB.png.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.793669730266929
Encrypted:	false
SSDEEP:	24:cByDpnv1IvWEunbYiJYa/oFUbDivL5EDjs4JB/2bdfFsJ1h3w:cGxBEunD6abDij5ejs4zZJ1hA
MD5:	7C79B6B710081D07456CBF27985E024E
SHA1:	7EF33824D68A47BD5C236DF67DB667DD08D1B564
SHA-256:	A55289C931F7666B9C9320BB94BEF1AC947A6958291AA6D637C156AEF3126E69
SHA-512:	0C964CF9B02BE40D21A13D14DEF893E66B84A1361DAD3408807289491B638D1064E67678A4FE673EE44F4387770AF1FEC5591AB3BE7FF76B889E8395C5C98605
Malicious:	false
Reputation:	low
Preview:	.0..:./m.....w.\..^..R..]&...........X.u..P..2>.^..T.\|D.%]..QF.....V.\|.#zB..az=....v..........^...v.$3.....B....j)..8M..(..j.....T..]`.T...].m.O.:..;..43.B.......%.Qn...;...h...uo..9.A-....:...:...).;$.8..6!.'..H.PMl...i...G..YGP....#....f........PEZz..b.............._.!..z6.L1l..I...gF..).....F{.cZ.{....&b....."..../u:......T."......M...4I^.Y$M@._z..Mf...2.,...+u.(.."..~.;...........}EA..3u.><(..5....}45..D........P..k...)......z.0.~40m.Mm..%..lX.`kN..gK.n.PW....Ml..x......{..........n.\..}..F.X...Y...U...c...<.....A...b.y.E.....,3... +...L..>}...K.s.K.!...o....Q...r`.<.m'..............-.]T.......>.;.;J.3=.&V.]......r....Q@<E.qv.\.=.!.Y&H..ohb(...[8.....r..".U...V....K.x.4.M..'.uw...#.x.o*....{S.n]..h...QV.y..@...R{.K.~..~2..Y-.J.8...u9&...u.Iy..G.uR...().q.j...5>.$.....G......0.......X...=...h.j.DW.K...t..!.f....3O.L..g<...R..n...'..Y....0..{.^4E.NM5z/3..E.....X..^`Ik...(....w...`...9.L.}(.8.#....F..b..exd.Kl.ZQ.X..;...(-..}V..

C:\Users\user\Desktop\AFWAAFRXKO\DTBZGIOOSO.mp3.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.8412444780610056
Encrypted:	false
SSDEEP:	24:NfrUwHmHAP2wr4sJ23bF9ycKl99A73Cll:xLGXs8rF9yD9G7yz
MD5:	BF954C09F0185CB175CE7197290C6131
SHA1:	F8C359BB2267031B02F4D22833402893C5EA9AAF
SHA-256:	6B144C47067FE30A40410FE14127B48C5DB99EAD79042F502CF3D4C045B61202
SHA-512:	DCF8F331D7A2C782FC32E41E3F99251A6EA323889A094606F127B67C33DE4FF534771B1D9A624AE0F962AE1F1B1299F6FA5C6CDE8AED5EA6171CC9261A6BCA38
Malicious:	false
Reputation:	low
Preview:	...D...7......z._\|.../1H......8...l/.w1..<..L.^..S.......jT.gY.\.n..O....e.....C.ZD .".w...>xe@.$......u..5_"[..b.G...4&.D..Z.d.ZZ.Y...F..........@W7.t.N...Q..g..~.K...1.wd.0O4...Tu..h......p$.U..<R[....ee..$b.J/-..5...p.`...$.....e.....)eA..i.Q...5...a......Huc\.~5......%.....A.&t..].y...V.B_..A...x.M.z,...c....M!...S)..i&.../u.0....F.P".;.......~.Gxp(..$@'....p.o.]....0....5...,YoQ[....Dk._..s%.0{..h..T........f...v`.t.G]....9...+{u.......1=...x..I..1..$.h.....b.z....`.c...o}zT.\|#/..V....T#J.`w."d.W.Vqwmg.....{.{.u..s.1.pe.qH}....e.E.\UTJ]A..;..* ^....s.k..,s.c,..Z..3....BO6F.z..L..^.....9..'.M.dl\|....9..?.y7....+.~.....T....j.i..=..n.y..[t-_.8.w...........e.3mX.$.B........B-j.(h....e.h.9]&,.^.....Spf.zy.\..M.....J."!u..E2......r.\|U.j.ci....Y.}.iYR...4.p...z. ....c..wE...... .....8..&....>G....bi.c].'.SQ...0x.c@3.w,...l.W.5..k...?.$.{f.?{......,..G........y'{..wa...........e.k..dzV.Y...P.V...\|...R..,...p]...C2a..u.{.......W...

C:\Users\user\Desktop\AFWAAFRXKO\NHPKIZUUSG.jpg.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	MGR bitmap, old format, 1-bit deep, 16-bit aligned
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.8074573101057485
Encrypted:	false
SSDEEP:	24:IS6lfAXmVzq0/PpRQrRx+D4UFb25zAyy+ArZdfGOm/pOnw:/ePHQ+poA4D
MD5:	B9E26BB355C1C16F5BFDEB8DFD08C891
SHA1:	6ACF65593398EB015E9C4E93DDE3F9459C36E9D7
SHA-256:	EFAEABC114458B235DDD438513904B0BFF443B201755FC43BB7D4F71E3948DD2
SHA-512:	D9A7D9BDFA4E7A83A431D852B595061D176DD5DD2F2E55B468BBED98E9BCB19AE4A949B1BA6E146022FD976FF3069E36E59B48D45F2744BE99FA96D92EF383F5
Malicious:	false
Reputation:	low
Preview:	zz6..h...J...x.C7'..l.5.6.@:....I...Nq.=......G...^.....7.7.......Am.Y.XOa.R.)m..A..m..9i....{...#.3..]...V.9.....7.>25z.G=J.j..Tz-#.LwT@..h.B=.....=w..Q/y'.'...oq......+Cv.....y.....m...<...a.M./..[.:3.........^.k...u..I..S!.............'......`.........'..+.PN...\|..0..K4.J.>.P\|.M...e.....CS....9.a....I.#.;..........{.....a..]...2....=....j....&EcZ6{Ju5j.B..?W....)h..uiF:./H..i..........._.PI.....9..\|tg.i.p....>...........S..I..R....{....K\.......B@.j..U.MJ...C>/..i'..S.f.....+.q...F(. ...3......Ct.e..R..p3.._.&.1..`.#......Zxv.@).&.o'.....X..Y........#l.r.eEv......Z...ex...G.`.YG.Rp\|..........b.......FPne.#3m..w.#.E....jv.....I.3.(.).#.O.JL7.9S-.n.4...Y.Y.I..T..O..j._Y.x.JV.U..7.@...Xit...-M....e...t........Ig.......:;8d%..S av..J..4.-....^........h.pt...u.8.S.T.f".F.;G..p.6.dET...!......,.7g#.:.F.P=.7.H...'.-.1...4..h..2}>.cegk7W.....R]...b....n.6....(..:.k...S...Hx..1.9P5.cB.'.._..?...P...X....\|P.W.}T.S....#.S...M...~...,W~.....)...+

C:\Users\user\Desktop\AFWAAFRXKO\TQDGENUHWP.xlsx.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.808536629182043
Encrypted:	false
SSDEEP:	24:hXgSEgPCJIsJmvGW4g6HKzqPHUAfgexrvc6cvAQ4KXmTD:CS4Jet4pHKOPpfgcrHxQ4umTD
MD5:	E7515DF9FED58ABF64F87C6A538DC378
SHA1:	A282793964337EAC3AB2DB35CF9EF5D8261FB098
SHA-256:	D5E824D450838A9BC59ABF120AE51250227D659D717C6300C0BEAF244158C7FE
SHA-512:	9E768C8344A4462C4AF1826032685EA6F874396EF19F8E942D3E1456FDF0FD5D28DBC6164B220DB50FA66D5151197C8C8CD4E551EA8CE41BB8CB4B8918F47BBF
Malicious:	false
Reputation:	low
Preview:	...#$.!..R.vQy.}./G.._......'../..[.P.....i..bb....1..#W....%.W.....A.;+v...a...>4tKN..n,...x.i!...qDo.....O..y%MGb......#.I.w.<)o.e...)/X.......D.g'. .f.^...`.F..oJ.ss..mGzo....K..p9G..\|.A..i...1.Db.f.\|..;.....W.........m....q...... ..F6Z...X......t.R....>4 .w.d.f.. g.G:$.z....U....['...=.`?y..N....bMP!.._.tu.8.4....~.r.....).V...$..P..8...2...;........T.y.mb......D..!E.....$....GeJ.....i8.......ySuL"..%.......8......%\.._......)(`....:u(h.K.....q.T.0S.G1....bq...%...x#.a.O.../.~.+.r....'._>.W@.._Uq..m...L..Q.X.....F........6.W...M...v.p?.?1[.g...S...5.....q...81..)..k....2...Vg...gXH\...\m..03y.(>.r....T.g.......@}......1+......ZW...K..D.~...8....}8....&...P.5.C/.......2..4.;...E....B...z............G.;...&O.b.>.....g^...U.Y.s......?.n...}b&o.m.Q...\|.s...y..W.pd.......nyg..2....8.Yf(.ST..;2......_..Q@.1{...6R.Me..s.?X.......5B..m..1`z.RRo.....j..xB...e.~.rQ:....0..!~......bh.Z. xN'...:..0.B.]..?.!.%..+.KN..+....]@........Tc.....+xL

C:\Users\user\Desktop\AFWAAFRXKO\ZSSZYEFYMU.pdf.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.823519587800709
Encrypted:	false
SSDEEP:	24:Ygspg1yMYX/uiaRNoEWMZm3DMaWgzoVlbnw6JKZUZ6SbHxGW:YNpYbSP5DMMzoVpw6MSZ6OGW
MD5:	419EAB02CE06C45897B6812200ADCEF3
SHA1:	1440DFA6DFE18C5527C0F95151B6396A5088CFE0
SHA-256:	886FD234159C793FA8A949022BAD9F0328CF3D31C2F572E2331AAE46FC22E223
SHA-512:	E728FB8AA55B535C3FCD190043169F986CC72C9D0833C64F173E596CD741166D585018009015BBD4544EE5168D68D3314373082ACC372455B4C6252DFEF24ABF
Malicious:	false
Reputation:	low
Preview:	j.w....[...P....L.=n..R.tv1..oH..^/.~.=y..sm.[..R.Jl..,.:.....a.[..eh^..(.....!.Z..F.......!.. ..O.G...iz7Zu.../$/f"..y.e.. ..s..}w7.....N.0Nc....@.......^..ad.h....PC;+[....rCO.,b....V'V/.V.8...i^.K$&..I]e...7...5...SC.l..kC.#....9..l..1...nz..9n...l.4A._{Dg.'+4[.,....4[lW...-.r.mF>.V..Fhh.j......;...Qj......i.A~...~].2].k..7.n.P.v...........oL..w<...%<0..4.4.G{=.v.N....7X..p2..q...\|......R...QT.._. ...>.v,'..f._....L....a...F..'.j.KJ1....<p..{..T$H..V.7..\|.N.[jcS..<.......n2h..wq.>?....fWd....N.....u.cz.KO..r6.M^..U.e/...u....U..z.....O,..$...+.....!.H.}\.d....k@.....l..TI...y....}..:..B]K..'qV.......g.5F7<.R..1....n..^5.&..C.....?.....b..u.q.....f.I.b.1..KkH.vA..Wg...Wb.@r@.2\./......p..7..._XN.......]....<.....1)x......Y.(...E.~.j.......F.2...O..9}PU......wH(...U.$..t...w....R.....D@...E`.v..5.....]0..#.16...U...TKN%.O.}..M...l.....T.8ws...^h6?.V.`...(p:... .8.......o.m..k..1....DcW.....u..]S...>.........?.d%......n8...H.E...6........X

C:\Users\user\Desktop\AIXACVYBSB.png.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.793669730266929
Encrypted:	false
SSDEEP:	24:cByDpnv1IvWEunbYiJYa/oFUbDivL5EDjs4JB/2bdfFsJ1h3w:cGxBEunD6abDij5ejs4zZJ1hA
MD5:	7C79B6B710081D07456CBF27985E024E
SHA1:	7EF33824D68A47BD5C236DF67DB667DD08D1B564
SHA-256:	A55289C931F7666B9C9320BB94BEF1AC947A6958291AA6D637C156AEF3126E69
SHA-512:	0C964CF9B02BE40D21A13D14DEF893E66B84A1361DAD3408807289491B638D1064E67678A4FE673EE44F4387770AF1FEC5591AB3BE7FF76B889E8395C5C98605
Malicious:	false
Reputation:	low
Preview:	.0..:./m.....w.\..^..R..]&...........X.u..P..2>.^..T.\|D.%]..QF.....V.\|.#zB..az=....v..........^...v.$3.....B....j)..8M..(..j.....T..]`.T...].m.O.:..;..43.B.......%.Qn...;...h...uo..9.A-....:...:...).;$.8..6!.'..H.PMl...i...G..YGP....#....f........PEZz..b.............._.!..z6.L1l..I...gF..).....F{.cZ.{....&b....."..../u:......T."......M...4I^.Y$M@._z..Mf...2.,...+u.(.."..~.;...........}EA..3u.><(..5....}45..D........P..k...)......z.0.~40m.Mm..%..lX.`kN..gK.n.PW....Ml..x......{..........n.\..}..F.X...Y...U...c...<.....A...b.y.E.....,3... +...L..>}...K.s.K.!...o....Q...r`.<.m'..............-.]T.......>.;.;J.3=.&V.]......r....Q@<E.qv.\.=.!.Y&H..ohb(...[8.....r..".U...V....K.x.4.M..'.uw...#.x.o*....{S.n]..h...QV.y..@...R{.K.~..~2..Y-.J.8...u9&...u.Iy..G.uR...().q.j...5>.$.....G......0.......X...=...h.j.DW.K...t..!.f....3O.L..g<...R..n...'..Y....0..{.^4E.NM5z/3..E.....X..^`Ik...(....w...`...9.L.}(.8.#....F..b..exd.Kl.ZQ.X..;...(-..}V..

C:\Users\user\Desktop\DTBZGIOOSO.mp3.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.8412444780610056
Encrypted:	false
SSDEEP:	24:NfrUwHmHAP2wr4sJ23bF9ycKl99A73Cll:xLGXs8rF9yD9G7yz
MD5:	BF954C09F0185CB175CE7197290C6131
SHA1:	F8C359BB2267031B02F4D22833402893C5EA9AAF
SHA-256:	6B144C47067FE30A40410FE14127B48C5DB99EAD79042F502CF3D4C045B61202
SHA-512:	DCF8F331D7A2C782FC32E41E3F99251A6EA323889A094606F127B67C33DE4FF534771B1D9A624AE0F962AE1F1B1299F6FA5C6CDE8AED5EA6171CC9261A6BCA38
Malicious:	false
Reputation:	low
Preview:	...D...7......z._\|.../1H......8...l/.w1..<..L.^..S.......jT.gY.\.n..O....e.....C.ZD .".w...>xe@.$......u..5_"[..b.G...4&.D..Z.d.ZZ.Y...F..........@W7.t.N...Q..g..~.K...1.wd.0O4...Tu..h......p$.U..<R[....ee..$b.J/-..5...p.`...$.....e.....)eA..i.Q...5...a......Huc\.~5......%.....A.&t..].y...V.B_..A...x.M.z,...c....M!...S)..i&.../u.0....F.P".;.......~.Gxp(..$@'....p.o.]....0....5...,YoQ[....Dk._..s%.0{..h..T........f...v`.t.G]....9...+{u.......1=...x..I..1..$.h.....b.z....`.c...o}zT.\|#/..V....T#J.`w."d.W.Vqwmg.....{.{.u..s.1.pe.qH}....e.E.\UTJ]A..;..* ^....s.k..,s.c,..Z..3....BO6F.z..L..^.....9..'.M.dl\|....9..?.y7....+.~.....T....j.i..=..n.y..[t-_.8.w...........e.3mX.$.B........B-j.(h....e.h.9]&,.^.....Spf.zy.\..M.....J."!u..E2......r.\|U.j.ci....Y.}.iYR...4.p...z. ....c..wE...... .....8..&....>G....bi.c].'.SQ...0x.c@3.w,...l.W.5..k...?.$.{f.?{......,..G........y'{..wa...........e.k..dzV.Y...P.V...\|...R..,...p]...C2a..u.{.......W...

C:\Users\user\Desktop\DTBZGIOOSO.pdf.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.8412444780610056
Encrypted:	false
SSDEEP:	24:NfrUwHmHAP2wr4sJ23bF9ycKl99A73Cll:xLGXs8rF9yD9G7yz
MD5:	BF954C09F0185CB175CE7197290C6131
SHA1:	F8C359BB2267031B02F4D22833402893C5EA9AAF
SHA-256:	6B144C47067FE30A40410FE14127B48C5DB99EAD79042F502CF3D4C045B61202
SHA-512:	DCF8F331D7A2C782FC32E41E3F99251A6EA323889A094606F127B67C33DE4FF534771B1D9A624AE0F962AE1F1B1299F6FA5C6CDE8AED5EA6171CC9261A6BCA38
Malicious:	false
Reputation:	low
Preview:	...D...7......z._\|.../1H......8...l/.w1..<..L.^..S.......jT.gY.\.n..O....e.....C.ZD .".w...>xe@.$......u..5_"[..b.G...4&.D..Z.d.ZZ.Y...F..........@W7.t.N...Q..g..~.K...1.wd.0O4...Tu..h......p$.U..<R[....ee..$b.J/-..5...p.`...$.....e.....)eA..i.Q...5...a......Huc\.~5......%.....A.&t..].y...V.B_..A...x.M.z,...c....M!...S)..i&.../u.0....F.P".;.......~.Gxp(..$@'....p.o.]....0....5...,YoQ[....Dk._..s%.0{..h..T........f...v`.t.G]....9...+{u.......1=...x..I..1..$.h.....b.z....`.c...o}zT.\|#/..V....T#J.`w."d.W.Vqwmg.....{.{.u..s.1.pe.qH}....e.E.\UTJ]A..;..* ^....s.k..,s.c,..Z..3....BO6F.z..L..^.....9..'.M.dl\|....9..?.y7....+.~.....T....j.i..=..n.y..[t-_.8.w...........e.3mX.$.B........B-j.(h....e.h.9]&,.^.....Spf.zy.\..M.....J."!u..E2......r.\|U.j.ci....Y.}.iYR...4.p...z. ....c..wE...... .....8..&....>G....bi.c].'.SQ...0x.c@3.w,...l.W.5..k...?.$.{f.?{......,..G........y'{..wa...........e.k..dzV.Y...P.V...\|...R..,...p]...C2a..u.{.......W...

C:\Users\user\Desktop\Excel.lnk.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	2464
Entropy (8bit):	7.919165430725093
Encrypted:	false
SSDEEP:	48:zDylT8k/rKHX9VvuoMP2WpIloCiOfIf8s/uK7tow:zDyBKPuoMVpoTfIEs/tT
MD5:	B8BDD06847B36D844A20C470DD86EB0C
SHA1:	068E687EB29F0B7C30DED44351795897DDD4E1D9
SHA-256:	A8507EF5A59AB8A71854411532AF49682E9638102378DF70E302F0283ABF064D
SHA-512:	30BD7A2AF464D71E78200D31FA0CE64481AE9DB7C8696B5B25DD685183FF5E879D826F219B642AC6A0AE13DA2F3F68FF68678B36E2285D0F5A48C6F8CC8DFF23
Malicious:	false
Reputation:	low
Preview:	p.9KZ:$1P!.k..=.........s....C......n...H.Pw...q>U...<Q.$.fb.-.].\4....O.._U.....W.W...........B%.[.f..01..7..)~rP3..B.9dSb.M.r.oV....r"..$....W..M...M.......<J..g.4...\|.].?.(.:.&..L`.......0H.7......w...&Ng$.]...^...z..h.8._.x....4.._...8zP.......m..hx.u..]K.)Q... ..MI.~...9c.AO...T!,. .~..~k.D.[m(.?\|.R..16Q@P.(.=....[/.....Z.`.O..:.....[KUU..MO{..L.............F.\|kf.P...H9Y0...ie..mQ......N.%.T..X...../,.-.w(.>V.Z...Yd....<{..g..j.)..W.?..%........m...=......X..v....9tj,;.i.....G)../..........S.A...(4c"O.JV.Z..8f..e...B.&...U....i5.q......9.M........@....AN..~......?7......j.v.q.. m0C4"...Z.H.P.j:..J.x...N10..v./......[P.L...71O.......:.C.^eY.`...........n....A...[....G..Y.M.wL...4..:)D..ww@dh...".....p+...l......A.....Bf...rF....1Yn........y.W.'.(Ig.D..kd..M..........}C......d....q.2(..;..q.$.U.+.<z...c.;.ER+..`\|@...'....y."....4z.#.j[..Ba...../.........c.....XU....Tx.$m.eL..)*7E......N].Me..x+.e.)..Y.......W..at.....

C:\Users\user\Desktop\HTAGVDFUIE.mp3.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.795115018539865
Encrypted:	false
SSDEEP:	24:NvSgE4kIUq7UMn6Yly6clhPLvIiGO7/dTT9EXdUA7DiW2/W5PaIsqay//J:NVE4kILUqf3cH7IiX7/dT6dUZcaIsryZ
MD5:	1A6D825A0AB9F95E84D340633D4076D0
SHA1:	66E2C02E0741EB6C6F1F64C44E185DB7979A2121
SHA-256:	74FF0888ED6AB7DAC40331E958E335350A48C9567DB9C7FA388A17C555DA8365
SHA-512:	E72EEFCDE0D76C3E0DD99CB25CFB4F04E4E6B23740E7B13E51C6E167B0754348128DF0AF1E7BECE171241DF762906AB62E43C46EF5ADFDAB3BFCC4AC9129C59A
Malicious:	false
Reputation:	low
Preview:	.^..2....`.!.r=.P..m.;A.(.s.n3ci8........\|..2.-..KN..~7'a..!....4.;...........T.Q.....q.R.f.,.>.M1..b.I..4$y.....>.C...5...B.%...E7.."...G..q.....tbf..z.5.....45.rO....R.V..A...h$.z..=(..7Z...@z{b..1s...Rq.!G.P+-.~Ma....!W......._....Y..G...W.IN.1f...~Gu.Y......_..!;..Xm..A..Q.vx...../........f.....5..`A^J..f..#.L....W.Y ..Oc..../.g....)...../.G.jn....^..\.......@....Oz.....0.[ol..:.U:.fQ..}..G.3....f.f.#.KA\.\.....,%.)....v/.f...V.s..z.[.".rOl.S.X..UW.d.z...r.?..C.R..Q.2..M..J....._.../....[......6...88D......ElJ...t.m..V&....E.....xr........s.Cb.GS3..f-.....x...%.;l...=...`_Nuy3....E......U>......]....:~.,.VG....+.O.ZB...[6N..k..D..-.e...BE.l.W.. @...s.`.B...x......-s....6..N/?./1\..........,o..8........S....@....m.2.=.P..gg...!..c...h....I'U.c6.j....u.Ns....Y.5.%)..;v[../....+.../.fI..qT.#..,v....8.......eN ...v.......1....0..P.F.M_....z8ef4_4..,..2e......>.?Xf.qdh!......M}.3!A9.u..m.....G...7..x.y.7.....%9X..

C:\Users\user\Desktop\ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-authorization].php

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2084
Entropy (8bit):	5.4816310843587495
Encrypted:	false
SSDEEP:	48:0W6+WHDndEiS7u55ieS5uuGHuSXpxuFyuZNA5:UnGiSiy3SWFr0
MD5:	7404C7C3EC941CE337DE571711DFA4E2
SHA1:	9275DFE6847B7F7F5A4A6EB92B89E0B6265F206B
SHA-256:	3E266E0216E907AD7339F648E6723393521392CC28BAD101FBD18EB76B2DE4FE
SHA-512:	1C617188698B058B5874BF91CE1E13A02382267F63662832DD905BA2823C18EFD3F8A1B7A0D4C94449A1487193BF4C9D8BFED689D1B36835794981F92361B14F
Malicious:	false
Preview:	<!doctype html>..<html>..<head>..<meta charset="utf-8">..<title>YUTPW48prqskALz7Hr5Uw82skEpcrd</title>..<meta name="generator" content="WYSIWYG Web Builder 11 - http://www.wysiwygwebbuilder.com">..<link href="Untitled1.css" rel="stylesheet">..<link href="index.css" rel="stylesheet">..</head>..<body>..<div id="container">..<div id="wb_Image1" style="position:absolute;left:365px;top:43px;width:240px;height:240px;z-index:0;">..<img src="images/06866214b4ec64f98df23ca0b49c3353.jpg" id="Image1" alt=""></div>..<label for="" id="Label1" style="position:absolute;left:376px;top:257px;width:210px;height:18px;line-height:18px;z-index:1;">KillRabbit V2 - User Area</label>..<form action="" method=POST>..<input type="text" id="Editbox1" style="position:absolute;left:359px;top:291px;width:243px;height:18px;line-height:18px;z-index:2;" name="pas" value="Unique Key">..<input type="submit" id="Button1" name="" value="Authorization" style="position:absolute;left:359px;top:327px;width:253px;height:25px;z-

C:\Users\user\Desktop\ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-authorization].php.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	2096
Entropy (8bit):	7.907149381378568
Encrypted:	false
SSDEEP:	48:R+142F90nvEU9npNWpd/L0kK1Pjq6XVRMrKMHm0CgeTxNT:R+1446L9DW1Khq6orrUZxNT
MD5:	791C71EB663AFFCD65F429E7DB1C8F5F
SHA1:	DE8AC181E33D7FCBF99F92614B327507C96F1A96
SHA-256:	05A41B4A21050615EB1385029334DA73876FF7896A1497E4B59BA13943745656
SHA-512:	626144190306AFFE1D46452683097F2451AD9F643718F429E2ED71FC0B6C44CD43FFAF424CA1FB48AF76A9802658AF12570D65143C1DD9ACB5783F1B70046A6F
Malicious:	false
Preview:	Zrb.}V....~!g.r...=.f....>5.`.mr.s9......`.A..7...K..'......$dTs.>M...4....[...uH...MM.I.1..?^.XEIK7.S.-...H..D0.9..C..~......].Y.i...F...#.....t...(@....+...Ns.&.=j`...iD..7......PT....+?......u."..k.....@.....0..P..?.:.H;Q.k...^..6.2...A.\3..\=n..GA.4-.h..i3c8Y.K6.q@1Z....ed.:G...0.IdL.]0.}.?........MY..\.....?j^'4......G.(....4..Z.a.a#.r5.....$...& 2...L.......O.9S..-....b(.........m..>...s..&.....v\|].l.-cL.n.-.!.1].3.3...E1.B..F..bI.......D..`Y.(./.-X.....T.I.(.+@.2#.............k_'IA.4Dm.l....j..5u..B..G.>h .M......>...84MP0.......e#.a.m....\|........Fs....x.3x.....f..{.k;F......5..R..OZ...'y6.......]..C....m.2...\\|.9qF...;.XB..b..$].$].dl.$) ..u.........>..+...l.y-.-t..}...6...^n....!...i\...;O.j.).b.......-..6.s....G...o..&s<..:K......Q$.v.......40.54..,.,..J.<7!'......;.....7q..;.7.h.aR......0vOx..I6....'.Nx..5lW.w.Qd.m..(.@.Tz.t....>;...P...TmrQ'."...c.!%./U......4..=,..?..M'.d..w....E.-.Id~,.4..ib...it"S&2@..>Z_.x.$.9.@......Y...

C:\Users\user\Desktop\ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-cabinet].php

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2991
Entropy (8bit):	5.403449348046629
Encrypted:	false
SSDEEP:	48:0W6+WHD9dEiSqWXElruYuRQPquM3OlxsuvYhyuecSukUxzuT7pZDgTUuJJ5:U9GiSqncyPzZxdQhr3kUkngpJX
MD5:	5E211A74F90C844895DAA238821813CA
SHA1:	CC1CE38A92CC250A2D9CE4DD793EBB749D38A11A
SHA-256:	B35F51103BC963CEC794389792925399572056BE5C96E66D9AE0F9D3985D9849
SHA-512:	B98BF029E58EB621FB308D752331C8B721CA5BD6B21CFB03852AF292795E9F8EF66DCE6E615DDB703AD0E67F09C35DF915483D2510D125CEEAB8F643ECE197EE
Malicious:	false
Preview:	<!doctype html>..<html>..<head>..<meta charset="utf-8">..<title>YUTPW48prqskALz7Hr5Uw82skEpcrd</title>..<meta name="generator" content="WYSIWYG Web Builder 11 - http://www.wysiwygwebbuilder.com">..<link href="Untitled1.css" rel="stylesheet">..<link href="page1.css" rel="stylesheet">..</head>..<body>..<div id="container">..<div id="wb_Image1" style="position:absolute;left:365px;top:43px;width:240px;height:240px;z-index:0;">..<img src="images/06866214b4ec64f98df23ca0b49c3353.jpg" id="Image1" alt=""></div>..<div id="wb_TabMenu1" style="position:absolute;left:0px;top:284px;width:968px;height:292px;z-index:1;overflow:hidden;">..<ul id="TabMenu1">..<li><a href="./0-37.exe">Decrypter</a></li>..<li><a href="#">Payment Module</a></li>..<li><a href="#">Support</a></li>..<li><a href="#">ChatBot</a></li>..</ul>..</div>..<label for="" id="Label6" style="position:absolute;left:355px;top:258px;width:252px;height:18px;line-height:18px;z-index:2;">KillRabbit V2 - Control Panel</label>..<div id="wb_Imag

C:\Users\user\Desktop\ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-cabinet].php.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	2992
Entropy (8bit):	7.932661783402332
Encrypted:	false
SSDEEP:	48:R+KDtcDHYZPfeNEryjDF1Yov3iA6fvPcbEZiYyIlo49hx1iviuvg/XuVZn:R++oM7iD3MvPcq3ydufvv6Z
MD5:	520B85A0FF8A2DF7043D19BF8AB560AE
SHA1:	19086327B69C22DA998CF23D89C61F932435D580
SHA-256:	70E4DBA6BC8897092092FCBDD386C3E1D945144078A57D7AC3C6B68EFFD08D1E
SHA-512:	13C8B10D7AE59054A1F264374E2EBE9BE4B8B8C66A7E75F3288B2F7679FF2D0A3C0C9684524AAA38B64EB82461EF1B30E1F11FFDC2BC7E4E54FE969EC9AFEA67
Malicious:	false
Preview:	Zrb.}V....~!g.r...=.f....>5.`.mr.s9......`.A..7...K..'......$dTs.>M...4....[...uH...MM.I.1..?^.XEIK7.S.-...H..D0.9..C..~......].Y.i...F...#.....t...(@....+...Ns.&.=j`...iD..7......PT....+?......u."..k.....@.....0..P..?.:.H;Q....nt...rl@izF~X.23Bc..b,..Gd6..l.f...+.....{.+......k...8..aB.pX-C..h..!."h.f......hD5.Q..'..#.s.P.".....c.............0.c^..CwLHxd..s.I..8.b...sa'...3..P...K..X..U.>.nG..R ..$0...u..^ZB..MX..r>l}..........:....l.ZU.~....XP.S.v...z<f..#....f0...Vx..[....P....J...2..:w..z6.......;O.m...I..<4q.n(...p0..T..%..........R....=]@.o.4.r.7f.?..:Bt.......j.8..~.>L...a..._w..........'.....hWo...~.7;....?.6>.xj<.....l..:..n ..\|z....o l...9...?VOi.q/...[\..b[`..t@.~../j....d..n.S.....>.....q..'..{v.....".{..sN.1.P. ...........gD&.\|1j...2.4l..y..d-....96..E.`..m.{.A.`...lMH^....r..g...I..+6...H#..E. .d....H.. ;.;..N......M..:N....!N./v...z\|.f..\+..T..%...~.p.3..r.Y.._w.Z.Hn..@.....i...%.m.+......)...v.N.@.'.........n

C:\Users\user\Desktop\NHPKIZUUSG.jpg.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	MGR bitmap, old format, 1-bit deep, 16-bit aligned
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.8074573101057485
Encrypted:	false
SSDEEP:	24:IS6lfAXmVzq0/PpRQrRx+D4UFb25zAyy+ArZdfGOm/pOnw:/ePHQ+poA4D
MD5:	B9E26BB355C1C16F5BFDEB8DFD08C891
SHA1:	6ACF65593398EB015E9C4E93DDE3F9459C36E9D7
SHA-256:	EFAEABC114458B235DDD438513904B0BFF443B201755FC43BB7D4F71E3948DD2
SHA-512:	D9A7D9BDFA4E7A83A431D852B595061D176DD5DD2F2E55B468BBED98E9BCB19AE4A949B1BA6E146022FD976FF3069E36E59B48D45F2744BE99FA96D92EF383F5
Malicious:	false
Preview:	zz6..h...J...x.C7'..l.5.6.@:....I...Nq.=......G...^.....7.7.......Am.Y.XOa.R.)m..A..m..9i....{...#.3..]...V.9.....7.>25z.G=J.j..Tz-#.LwT@..h.B=.....=w..Q/y'.'...oq......+Cv.....y.....m...<...a.M./..[.:3.........^.k...u..I..S!.............'......`.........'..+.PN...\|..0..K4.J.>.P\|.M...e.....CS....9.a....I.#.;..........{.....a..]...2....=....j....&EcZ6{Ju5j.B..?W....)h..uiF:./H..i..........._.PI.....9..\|tg.i.p....>...........S..I..R....{....K\.......B@.j..U.MJ...C>/..i'..S.f.....+.q...F(. ...3......Ct.e..R..p3.._.&.1..`.#......Zxv.@).&.o'.....X..Y........#l.r.eEv......Z...ex...G.`.YG.Rp\|..........b.......FPne.#3m..w.#.E....jv.....I.3.(.).#.O.JL7.9S-.n.4...Y.Y.I..T..O..j._Y.x.JV.U..7.@...Xit...-M....e...t........Ig.......:;8d%..S av..J..4.-....^........h.pt...u.8.S.T.f".F.;G..p.6.dET...!......,.7g#.:.F.P=.7.H...'.-.1...4..h..2}>.cegk7W.....R]...b....n.6....(..:.k...S...Hx..1.9P5.cB.'.._..?...P...X....\|P.W.}T.S....#.S...M...~...,W~.....)...+

C:\Users\user\Desktop\NHPKIZUUSG.xlsx.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	MGR bitmap, old format, 1-bit deep, 16-bit aligned
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.8074573101057485
Encrypted:	false
SSDEEP:	24:IS6lfAXmVzq0/PpRQrRx+D4UFb25zAyy+ArZdfGOm/pOnw:/ePHQ+poA4D
MD5:	B9E26BB355C1C16F5BFDEB8DFD08C891
SHA1:	6ACF65593398EB015E9C4E93DDE3F9459C36E9D7
SHA-256:	EFAEABC114458B235DDD438513904B0BFF443B201755FC43BB7D4F71E3948DD2
SHA-512:	D9A7D9BDFA4E7A83A431D852B595061D176DD5DD2F2E55B468BBED98E9BCB19AE4A949B1BA6E146022FD976FF3069E36E59B48D45F2744BE99FA96D92EF383F5
Malicious:	false
Preview:	zz6..h...J...x.C7'..l.5.6.@:....I...Nq.=......G...^.....7.7.......Am.Y.XOa.R.)m..A..m..9i....{...#.3..]...V.9.....7.>25z.G=J.j..Tz-#.LwT@..h.B=.....=w..Q/y'.'...oq......+Cv.....y.....m...<...a.M./..[.:3.........^.k...u..I..S!.............'......`.........'..+.PN...\|..0..K4.J.>.P\|.M...e.....CS....9.a....I.#.;..........{.....a..]...2....=....j....&EcZ6{Ju5j.B..?W....)h..uiF:./H..i..........._.PI.....9..\|tg.i.p....>...........S..I..R....{....K\.......B@.j..U.MJ...C>/..i'..S.f.....+.q...F(. ...3......Ct.e..R..p3.._.&.1..`.#......Zxv.@).&.o'.....X..Y........#l.r.eEv......Z...ex...G.`.YG.Rp\|..........b.......FPne.#3m..w.#.E....jv.....I.3.(.).#.O.JL7.9S-.n.4...Y.Y.I..T..O..j._Y.x.JV.U..7.@...Xit...-M....e...t........Ig.......:;8d%..S av..J..4.-....^........h.pt...u.8.S.T.f".F.;G..p.6.dET...!......,.7g#.:.F.P=.7.H...'.-.1...4..h..2}>.cegk7W.....R]...b....n.6....(..:.k...S...Hx..1.9P5.cB.'.._..?...P...X....\|P.W.}T.S....#.S...M...~...,W~.....)...+

C:\Users\user\Desktop\ONBQCLYSPU.jpg.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.802049874261968
Encrypted:	false
SSDEEP:	24:eAg8LVebjILvkTCGPz21l7zKR0Kl5xs3Moqy2UL:BebjO9G721l7E55xs3nqy2k
MD5:	166E7510D57CF43671AAF46433274FAE
SHA1:	9F39F5742B4CB8B1648B8AF0F6B99CA85D2570F1
SHA-256:	D3F450B2FC137CF26E8FB68BBA6E0D693F7A1406416490C843C3C80964A1A206
SHA-512:	67847C8CD058F81DE1D482FCCCDC7F4F28CB893F1C19BC34BDC2E1DD96745EDF5EBF71F359C298B76E0BE967F92E449A632D7666B8CED5FCEF36D1C93143103E
Malicious:	false
Preview:	i...^..Pp.D...o)...U.>R...f....'......kEe..t..... ./....._t}Xn\|.}..X.T/"..'...K.R.K...J\.b..h..}.....!......f...5l......y.T.I,..l..k/{..c6..3......>c..}..3. ..^p..v%....5.T../W.....#$K!,.+......;j...v^... .....$qc&......"R...z.+l$...3...c.4....7Q..2.s.....9.&c.+.u. 7.9.V.D...N8.\...{...J..u..=.549{&.Z...C.i.w....?...%..`94.1.!..R...>.X.J.xl...Q...X..@!SY..VOs.h.D&.d.l..e...b@...8.:.Mx......C....k..W..C.v$l......d...+..M.\v....u..HOAPON..]...tM.,........A.&z.......P..u..}.....D.]....\|..^..?.W........0JZx.,&..Qi.=....3.}...j)g\O.....O...!.D.k..y.p.;.%.V@..?......"..u\|.ez....%1......D.....l..'..w.]...{{....S.....N+..f"............+..y..i.t...M.........tb.7..._..f..j.S.z.t.t...?j.1...X..8W...(r..AfVn>u..1.....8m..7..N...._oRM...7..[T..6/.....U.`...h;.....i..."..i....R.WH...Nm....... -.r.}......@).....4dS.H....~..8=^v7.[..._...}.+....xn..s...%f.}..puU...7H<v...C..o....1..I..y.)t.;27G.$-.)...Q]..R.4.ug.....\..@........>1..3.>..f......A.....$z

C:\Users\user\Desktop\TQDGENUHWP.docx.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.808536629182043
Encrypted:	false
SSDEEP:	24:hXgSEgPCJIsJmvGW4g6HKzqPHUAfgexrvc6cvAQ4KXmTD:CS4Jet4pHKOPpfgcrHxQ4umTD
MD5:	E7515DF9FED58ABF64F87C6A538DC378
SHA1:	A282793964337EAC3AB2DB35CF9EF5D8261FB098
SHA-256:	D5E824D450838A9BC59ABF120AE51250227D659D717C6300C0BEAF244158C7FE
SHA-512:	9E768C8344A4462C4AF1826032685EA6F874396EF19F8E942D3E1456FDF0FD5D28DBC6164B220DB50FA66D5151197C8C8CD4E551EA8CE41BB8CB4B8918F47BBF
Malicious:	false
Preview:	...#$.!..R.vQy.}./G.._......'../..[.P.....i..bb....1..#W....%.W.....A.;+v...a...>4tKN..n,...x.i!...qDo.....O..y%MGb......#.I.w.<)o.e...)/X.......D.g'. .f.^...`.F..oJ.ss..mGzo....K..p9G..\|.A..i...1.Db.f.\|..;.....W.........m....q...... ..F6Z...X......t.R....>4 .w.d.f.. g.G:$.z....U....['...=.`?y..N....bMP!.._.tu.8.4....~.r.....).V...$..P..8...2...;........T.y.mb......D..!E.....$....GeJ.....i8.......ySuL"..%.......8......%\.._......)(`....:u(h.K.....q.T.0S.G1....bq...%...x#.a.O.../.~.+.r....'._>.W@.._Uq..m...L..Q.X.....F........6.W...M...v.p?.?1[.g...S...5.....q...81..)..k....2...Vg...gXH\...\m..03y.(>.r....T.g.......@}......1+......ZW...K..D.~...8....}8....&...P.5.C/.......2..4.;...E....B...z............G.;...&O.b.>.....g^...U.Y.s......?.n...}b&o.m.Q...\|.s...y..W.pd.......nyg..2....8.Yf(.ST..;2......_..Q@.1{...6R.Me..s.?X.......5B..m..1`z.RRo.....j..xB...e.~.rQ:....0..!~......bh.Z. xN'...:..0.B.]..?.!.%..+.KN..+....]@........Tc.....+xL

C:\Users\user\Desktop\TQDGENUHWP.xlsx.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.808536629182043
Encrypted:	false
SSDEEP:	24:hXgSEgPCJIsJmvGW4g6HKzqPHUAfgexrvc6cvAQ4KXmTD:CS4Jet4pHKOPpfgcrHxQ4umTD
MD5:	E7515DF9FED58ABF64F87C6A538DC378
SHA1:	A282793964337EAC3AB2DB35CF9EF5D8261FB098
SHA-256:	D5E824D450838A9BC59ABF120AE51250227D659D717C6300C0BEAF244158C7FE
SHA-512:	9E768C8344A4462C4AF1826032685EA6F874396EF19F8E942D3E1456FDF0FD5D28DBC6164B220DB50FA66D5151197C8C8CD4E551EA8CE41BB8CB4B8918F47BBF
Malicious:	false
Preview:	...#$.!..R.vQy.}./G.._......'../..[.P.....i..bb....1..#W....%.W.....A.;+v...a...>4tKN..n,...x.i!...qDo.....O..y%MGb......#.I.w.<)o.e...)/X.......D.g'. .f.^...`.F..oJ.ss..mGzo....K..p9G..\|.A..i...1.Db.f.\|..;.....W.........m....q...... ..F6Z...X......t.R....>4 .w.d.f.. g.G:$.z....U....['...=.`?y..N....bMP!.._.tu.8.4....~.r.....).V...$..P..8...2...;........T.y.mb......D..!E.....$....GeJ.....i8.......ySuL"..%.......8......%\.._......)(`....:u(h.K.....q.T.0S.G1....bq...%...x#.a.O.../.~.+.r....'._>.W@.._Uq..m...L..Q.X.....F........6.W...M...v.p?.?1[.g...S...5.....q...81..)..k....2...Vg...gXH\...\m..03y.(>.r....T.g.......@}......1+......ZW...K..D.~...8....}8....&...P.5.C/.......2..4.;...E....B...z............G.;...&O.b.>.....g^...U.Y.s......?.n...}b&o.m.Q...\|.s...y..W.pd.......nyg..2....8.Yf(.ST..;2......_..Q@.1{...6R.Me..s.?X.......5B..m..1`z.RRo.....j..xB...e.~.rQ:....0..!~......bh.Z. xN'...:..0.B.]..?.!.%..+.KN..+....]@........Tc.....+xL

C:\Users\user\Desktop\TQDGENUHWP\DTBZGIOOSO.pdf.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.8412444780610056
Encrypted:	false
SSDEEP:	24:NfrUwHmHAP2wr4sJ23bF9ycKl99A73Cll:xLGXs8rF9yD9G7yz
MD5:	BF954C09F0185CB175CE7197290C6131
SHA1:	F8C359BB2267031B02F4D22833402893C5EA9AAF
SHA-256:	6B144C47067FE30A40410FE14127B48C5DB99EAD79042F502CF3D4C045B61202
SHA-512:	DCF8F331D7A2C782FC32E41E3F99251A6EA323889A094606F127B67C33DE4FF534771B1D9A624AE0F962AE1F1B1299F6FA5C6CDE8AED5EA6171CC9261A6BCA38
Malicious:	false
Preview:	...D...7......z._\|.../1H......8...l/.w1..<..L.^..S.......jT.gY.\.n..O....e.....C.ZD .".w...>xe@.$......u..5_"[..b.G...4&.D..Z.d.ZZ.Y...F..........@W7.t.N...Q..g..~.K...1.wd.0O4...Tu..h......p$.U..<R[....ee..$b.J/-..5...p.`...$.....e.....)eA..i.Q...5...a......Huc\.~5......%.....A.&t..].y...V.B_..A...x.M.z,...c....M!...S)..i&.../u.0....F.P".;.......~.Gxp(..$@'....p.o.]....0....5...,YoQ[....Dk._..s%.0{..h..T........f...v`.t.G]....9...+{u.......1=...x..I..1..$.h.....b.z....`.c...o}zT.\|#/..V....T#J.`w."d.W.Vqwmg.....{.{.u..s.1.pe.qH}....e.E.\UTJ]A..;..* ^....s.k..,s.c,..Z..3....BO6F.z..L..^.....9..'.M.dl\|....9..?.y7....+.~.....T....j.i..=..n.y..[t-_.8.w...........e.3mX.$.B........B-j.(h....e.h.9]&,.^.....Spf.zy.\..M.....J."!u..E2......r.\|U.j.ci....Y.}.iYR...4.p...z. ....c..wE...... .....8..&....>G....bi.c].'.SQ...0x.c@3.w,...l.W.5..k...?.$.{f.?{......,..G........y'{..wa...........e.k..dzV.Y...P.V...\|...R..,...p]...C2a..u.{.......W...

C:\Users\user\Desktop\TQDGENUHWP\HTAGVDFUIE.mp3.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.795115018539865
Encrypted:	false
SSDEEP:	24:NvSgE4kIUq7UMn6Yly6clhPLvIiGO7/dTT9EXdUA7DiW2/W5PaIsqay//J:NVE4kILUqf3cH7IiX7/dT6dUZcaIsryZ
MD5:	1A6D825A0AB9F95E84D340633D4076D0
SHA1:	66E2C02E0741EB6C6F1F64C44E185DB7979A2121
SHA-256:	74FF0888ED6AB7DAC40331E958E335350A48C9567DB9C7FA388A17C555DA8365
SHA-512:	E72EEFCDE0D76C3E0DD99CB25CFB4F04E4E6B23740E7B13E51C6E167B0754348128DF0AF1E7BECE171241DF762906AB62E43C46EF5ADFDAB3BFCC4AC9129C59A
Malicious:	false
Preview:	.^..2....`.!.r=.P..m.;A.(.s.n3ci8........\|..2.-..KN..~7'a..!....4.;...........T.Q.....q.R.f.,.>.M1..b.I..4$y.....>.C...5...B.%...E7.."...G..q.....tbf..z.5.....45.rO....R.V..A...h$.z..=(..7Z...@z{b..1s...Rq.!G.P+-.~Ma....!W......._....Y..G...W.IN.1f...~Gu.Y......_..!;..Xm..A..Q.vx...../........f.....5..`A^J..f..#.L....W.Y ..Oc..../.g....)...../.G.jn....^..\.......@....Oz.....0.[ol..:.U:.fQ..}..G.3....f.f.#.KA\.\.....,%.)....v/.f...V.s..z.[.".rOl.S.X..UW.d.z...r.?..C.R..Q.2..M..J....._.../....[......6...88D......ElJ...t.m..V&....E.....xr........s.Cb.GS3..f-.....x...%.;l...=...`_Nuy3....E......U>......]....:~.,.VG....+.O.ZB...[6N..k..D..-.e...BE.l.W.. @...s.`.B...x......-s....6..N/?./1\..........,o..8........S....@....m.2.=.P..gg...!..c...h....I'U.c6.j....u.Ns....Y.5.%)..;v[../....+.../.fI..qT.#..,v....8.......eN ...v.......1....0..P.F.M_....z8ef4_4..,..2e......>.?Xf.qdh!......M}.3!A9.u..m.....G...7..x.y.7.....%9X..

C:\Users\user\Desktop\TQDGENUHWP\NHPKIZUUSG.xlsx.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	MGR bitmap, old format, 1-bit deep, 16-bit aligned
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.8074573101057485
Encrypted:	false
SSDEEP:	24:IS6lfAXmVzq0/PpRQrRx+D4UFb25zAyy+ArZdfGOm/pOnw:/ePHQ+poA4D
MD5:	B9E26BB355C1C16F5BFDEB8DFD08C891
SHA1:	6ACF65593398EB015E9C4E93DDE3F9459C36E9D7
SHA-256:	EFAEABC114458B235DDD438513904B0BFF443B201755FC43BB7D4F71E3948DD2
SHA-512:	D9A7D9BDFA4E7A83A431D852B595061D176DD5DD2F2E55B468BBED98E9BCB19AE4A949B1BA6E146022FD976FF3069E36E59B48D45F2744BE99FA96D92EF383F5
Malicious:	false
Preview:	zz6..h...J...x.C7'..l.5.6.@:....I...Nq.=......G...^.....7.7.......Am.Y.XOa.R.)m..A..m..9i....{...#.3..]...V.9.....7.>25z.G=J.j..Tz-#.LwT@..h.B=.....=w..Q/y'.'...oq......+Cv.....y.....m...<...a.M./..[.:3.........^.k...u..I..S!.............'......`.........'..+.PN...\|..0..K4.J.>.P\|.M...e.....CS....9.a....I.#.;..........{.....a..]...2....=....j....&EcZ6{Ju5j.B..?W....)h..uiF:./H..i..........._.PI.....9..\|tg.i.p....>...........S..I..R....{....K\.......B@.j..U.MJ...C>/..i'..S.f.....+.q...F(. ...3......Ct.e..R..p3.._.&.1..`.#......Zxv.@).&.o'.....X..Y........#l.r.eEv......Z...ex...G.`.YG.Rp\|..........b.......FPne.#3m..w.#.E....jv.....I.3.(.).#.O.JL7.9S-.n.4...Y.Y.I..T..O..j._Y.x.JV.U..7.@...Xit...-M....e...t........Ig.......:;8d%..S av..J..4.-....^........h.pt...u.8.S.T.f".F.;G..p.6.dET...!......,.7g#.:.F.P=.7.H...'.-.1...4..h..2}>.cegk7W.....R]...b....n.6....(..:.k...S...Hx..1.9P5.cB.'.._..?...P...X....\|P.W.}T.S....#.S...M...~...,W~.....)...+

C:\Users\user\Desktop\TQDGENUHWP\ONBQCLYSPU.jpg.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.802049874261968
Encrypted:	false
SSDEEP:	24:eAg8LVebjILvkTCGPz21l7zKR0Kl5xs3Moqy2UL:BebjO9G721l7E55xs3nqy2k
MD5:	166E7510D57CF43671AAF46433274FAE
SHA1:	9F39F5742B4CB8B1648B8AF0F6B99CA85D2570F1
SHA-256:	D3F450B2FC137CF26E8FB68BBA6E0D693F7A1406416490C843C3C80964A1A206
SHA-512:	67847C8CD058F81DE1D482FCCCDC7F4F28CB893F1C19BC34BDC2E1DD96745EDF5EBF71F359C298B76E0BE967F92E449A632D7666B8CED5FCEF36D1C93143103E
Malicious:	false
Preview:	i...^..Pp.D...o)...U.>R...f....'......kEe..t..... ./....._t}Xn\|.}..X.T/"..'...K.R.K...J\.b..h..}.....!......f...5l......y.T.I,..l..k/{..c6..3......>c..}..3. ..^p..v%....5.T../W.....#$K!,.+......;j...v^... .....$qc&......"R...z.+l$...3...c.4....7Q..2.s.....9.&c.+.u. 7.9.V.D...N8.\...{...J..u..=.549{&.Z...C.i.w....?...%..`94.1.!..R...>.X.J.xl...Q...X..@!SY..VOs.h.D&.d.l..e...b@...8.:.Mx......C....k..W..C.v$l......d...+..M.\v....u..HOAPON..]...tM.,........A.&z.......P..u..}.....D.]....\|..^..?.W........0JZx.,&..Qi.=....3.}...j)g\O.....O...!.D.k..y.p.;.%.V@..?......"..u\|.ez....%1......D.....l..'..w.]...{{....S.....N+..f"............+..y..i.t...M.........tb.7..._..f..j.S.z.t.t...?j.1...X..8W...(r..AfVn>u..1.....8m..7..N...._oRM...7..[T..6/.....U.`...h;.....i..."..i....R.WH...Nm....... -.r.}......@).....4dS.H....~..8=^v7.[..._...}.+....xn..s...%f.}..puU...7H<v...C..o....1..I..y.)t.;27G.$-.)...Q]..R.4.ug.....\..@........>1..3.>..f......A.....$z

C:\Users\user\Desktop\TQDGENUHWP\TQDGENUHWP.docx.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.808536629182043
Encrypted:	false
SSDEEP:	24:hXgSEgPCJIsJmvGW4g6HKzqPHUAfgexrvc6cvAQ4KXmTD:CS4Jet4pHKOPpfgcrHxQ4umTD
MD5:	E7515DF9FED58ABF64F87C6A538DC378
SHA1:	A282793964337EAC3AB2DB35CF9EF5D8261FB098
SHA-256:	D5E824D450838A9BC59ABF120AE51250227D659D717C6300C0BEAF244158C7FE
SHA-512:	9E768C8344A4462C4AF1826032685EA6F874396EF19F8E942D3E1456FDF0FD5D28DBC6164B220DB50FA66D5151197C8C8CD4E551EA8CE41BB8CB4B8918F47BBF
Malicious:	false
Preview:	...#$.!..R.vQy.}./G.._......'../..[.P.....i..bb....1..#W....%.W.....A.;+v...a...>4tKN..n,...x.i!...qDo.....O..y%MGb......#.I.w.<)o.e...)/X.......D.g'. .f.^...`.F..oJ.ss..mGzo....K..p9G..\|.A..i...1.Db.f.\|..;.....W.........m....q...... ..F6Z...X......t.R....>4 .w.d.f.. g.G:$.z....U....['...=.`?y..N....bMP!.._.tu.8.4....~.r.....).V...$..P..8...2...;........T.y.mb......D..!E.....$....GeJ.....i8.......ySuL"..%.......8......%\.._......)(`....:u(h.K.....q.T.0S.G1....bq...%...x#.a.O.../.~.+.r....'._>.W@.._Uq..m...L..Q.X.....F........6.W...M...v.p?.?1[.g...S...5.....q...81..)..k....2...Vg...gXH\...\m..03y.(>.r....T.g.......@}......1+......ZW...K..D.~...8....}8....&...P.5.C/.......2..4.;...E....B...z............G.;...&O.b.>.....g^...U.Y.s......?.n...}b&o.m.Q...\|.s...y..W.pd.......nyg..2....8.Yf(.ST..;2......_..Q@.1{...6R.Me..s.?X.......5B..m..1`z.RRo.....j..xB...e.~.rQ:....0..!~......bh.Z. xN'...:..0.B.]..?.!.%..+.KN..+....]@........Tc.....+xL

C:\Users\user\Desktop\TQDGENUHWP\UMMBDNEQBN.png.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.845472794750358
Encrypted:	false
SSDEEP:	24:126JOoc46QiDYvlwRixgLuX6ot8/WL3aMJ:PAoBvlwRixg6bt/BJ
MD5:	E8F3342BE2900897CF55CA9E5323669F
SHA1:	C5764F95D21E59CB286BF5883CFA38016E813764
SHA-256:	C2EA84884DD73D1281CAB8A443EE710FACCF026633E2A73A43B065FDFF1AD504
SHA-512:	443FCC361A6F8B271433F4D434F542B9C1328BB4340C5AF8A269B0FFAF97334B23A7E94FFCBBCA63CC5630D0CC94C6DD7426DB9F4F928BC358B4BD100CDF6074
Malicious:	false
Preview:	.j.p-!..!...............e..i...Ri.t...<^.i.Na....e.......y..V..P...zy.).W?L3)....=.9.....O...,.wW...T......J.............fk1...c).l...9cH.. ...D>......./.N.1LG....]._..$S........r..1.5]..g..!.`Y5._ZV....\..!..)..A.?.x..#....\...(.k...1+....XDSyQ'L...+..z.KI..+.<...x..h....8...."Y. "...]f.2C-...><.s.C.^......7..]D5...}.Y....@d....h..a....s.......?..YS.9.a....5..}..7)....X(....)..."2t.w.n....~E....a.\|.......W.j,.O..n>M.'...q.K..+../.o04.X .f.^.C..`M.........\w....r....M.@m.U..../E.".U$:2... .....PT.{.b......9dlo.....75.v...nq..nil..J..g...H...M`...a. ..Uc..\|.x\;..D.u....8.....FY....p.a'..n.B*...n.%.>.j.N..4..."...mM..=.7..]Ad...b.....o.~r+.2..qs..Y....a[.A.J..V...b;...~F.rk.\..@l..SM...6.[....w[...7....r....[...R{..T.^........&..,JdG...M.w.~.....!s...1p....l..[..."Y...8.C.]Y..l... .~.A.d@.7..]..g...,..i.....:H;..f.xzN.Q.1F...\|.^..7.E....D..}..H...`v.NO......Z#.u.......0..NCpGPA.j.gvi...wKT....X......X.F.....1W....<./m..\|.,i&.... /..?..`..S:..Y.

C:\Users\user\Desktop\UMMBDNEQBN.png.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.845472794750358
Encrypted:	false
SSDEEP:	24:126JOoc46QiDYvlwRixgLuX6ot8/WL3aMJ:PAoBvlwRixg6bt/BJ
MD5:	E8F3342BE2900897CF55CA9E5323669F
SHA1:	C5764F95D21E59CB286BF5883CFA38016E813764
SHA-256:	C2EA84884DD73D1281CAB8A443EE710FACCF026633E2A73A43B065FDFF1AD504
SHA-512:	443FCC361A6F8B271433F4D434F542B9C1328BB4340C5AF8A269B0FFAF97334B23A7E94FFCBBCA63CC5630D0CC94C6DD7426DB9F4F928BC358B4BD100CDF6074
Malicious:	false
Preview:	.j.p-!..!...............e..i...Ri.t...<^.i.Na....e.......y..V..P...zy.).W?L3)....=.9.....O...,.wW...T......J.............fk1...c).l...9cH.. ...D>......./.N.1LG....]._..$S........r..1.5]..g..!.`Y5._ZV....\..!..)..A.?.x..#....\...(.k...1+....XDSyQ'L...+..z.KI..+.<...x..h....8...."Y. "...]f.2C-...><.s.C.^......7..]D5...}.Y....@d....h..a....s.......?..YS.9.a....5..}..7)....X(....)..."2t.w.n....~E....a.\|.......W.j,.O..n>M.'...q.K..+../.o04.X .f.^.C..`M.........\w....r....M.@m.U..../E.".U$:2... .....PT.{.b......9dlo.....75.v...nq..nil..J..g...H...M`...a. ..Uc..\|.x\;..D.u....8.....FY....p.a'..n.B*...n.%.>.j.N..4..."...mM..=.7..]Ad...b.....o.~r+.2..qs..Y....a[.A.J..V...b;...~F.rk.\..@l..SM...6.[....w[...7....r....[...R{..T.^........&..,JdG...M.w.~.....!s...1p....l..[..."Y...8.C.]Y..l... .~.A.d@.7..]..g...,..i.....:H;..f.xzN.Q.1F...\|.^..7.E....D..}..H...`v.NO......Z#.u.......0..NCpGPA.j.gvi...wKT....X......X.F.....1W....<./m..\|.,i&.... /..?..`..S:..Y.

C:\Users\user\Desktop\ZSSZYEFYMU.pdf.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1040
Entropy (8bit):	7.823519587800709
Encrypted:	false
SSDEEP:	24:Ygspg1yMYX/uiaRNoEWMZm3DMaWgzoVlbnw6JKZUZ6SbHxGW:YNpYbSP5DMMzoVpw6MSZ6OGW
MD5:	419EAB02CE06C45897B6812200ADCEF3
SHA1:	1440DFA6DFE18C5527C0F95151B6396A5088CFE0
SHA-256:	886FD234159C793FA8A949022BAD9F0328CF3D31C2F572E2331AAE46FC22E223
SHA-512:	E728FB8AA55B535C3FCD190043169F986CC72C9D0833C64F173E596CD741166D585018009015BBD4544EE5168D68D3314373082ACC372455B4C6252DFEF24ABF
Malicious:	false
Preview:	j.w....[...P....L.=n..R.tv1..oH..^/.~.=y..sm.[..R.Jl..,.:.....a.[..eh^..(.....!.Z..F.......!.. ..O.G...iz7Zu.../$/f"..y.e.. ..s..}w7.....N.0Nc....@.......^..ad.h....PC;+[....rCO.,b....V'V/.V.8...i^.K$&..I]e...7...5...SC.l..kC.#....9..l..1...nz..9n...l.4A._{Dg.'+4[.,....4[lW...-.r.mF>.V..Fhh.j......;...Qj......i.A~...~].2].k..7.n.P.v...........oL..w<...%<0..4.4.G{=.v.N....7X..p2..q...\|......R...QT.._. ...>.v,'..f._....L....a...F..'.j.KJ1....<p..{..T$H..V.7..\|.N.[jcS..<.......n2h..wq.>?....fWd....N.....u.cz.KO..r6.M^..U.e/...u....U..z.....O,..$...+.....!.H.}\.d....k@.....l..TI...y....}..:..B]K..'qV.......g.5F7<.R..1....n..^5.&..C.....?.....b..u.q.....f.I.b.1..KkH.vA..Wg...Wb.@r@.2\./......p..7..._XN.......]....<.....1)x......Y.(...E.~.j.......F.2...O..9}PU......wH(...U.$..t...w....R.....D@...E`.v..5.....]0..#.16...U...TKN%.O.}..M...l.....T.8ws...^h6?.V.`...(p:... .8.......o.m..k..1....DcW.....u..]S...>.........?.d%......n8...H.E...6........X

C:\Users\user\Desktop\desktop.ini.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	288
Entropy (8bit):	7.338458758317762
Encrypted:	false
SSDEEP:	6:8SKi2cBKCh6hrstxSAq/8cZ4/IqgeffrxeKXlIVwf3Pg0SpYzU+gn:v2cDJxSr/7RqgQfzXl16x
MD5:	032497620CE6D95F58FCA99C30AC7382
SHA1:	7BD6432A456FB2B66D7C5B00D8156E91A8D70DEE
SHA-256:	5CB6FEF80C187AE11386149FA58BFF3FE4C6305559283A977812DAB993929584
SHA-512:	B720BD3C2F5B8526D27F861EC9135AF791B68844231DB5508CCC7993B0EAF83E3541076E6A2F94B50004778EB641BBCC918CA0E734039F74C7B69B0771EE1756
Malicious:	false
Preview:	..k...M...H......B....m..5.].q..K\P..Zz.s..I....>.M.`.....(....>%...r.Z.....sj.d3.N5.lP......+>1..#.)A/..Wn]..R.p.x.FxS.H(d.Y.Dh..e.8.p.[..G....m..6._n@..[..*.!O..L..pz.;..r...W..Q...j.1..$...e<\|...>.....P...g..L.wY.=....4...O....S%.A.Mo.G.uJ.$SrT.nV.GE&B..r....z.QaO....`..

C:\Users\user\Desktop\file.exe.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1009680
Entropy (8bit):	7.999833301418865
Encrypted:	true
SSDEEP:	24576:+iJxGKBt734to61MuO4bYmWHUWt5IyxGAE5rPsjFAmtMm:+WxX34to6iPSOHZPBScAm7
MD5:	17C7E5308D6CA3F39A47674FC103491D
SHA1:	5B2FFA0FA33ED4D2637EF11E0CA7AFA9EDF620FB
SHA-256:	7E63F32A47B633DCADEE03A062FED65B3E9C1049B9ADAAD309C78FAA922CDAAE
SHA-512:	ABD52DA21EB8FF40DAE5800BE9BCCCDE42F0DF69D697328767326EDD92C183DD9583CF1F745642DB1EEF27A3F0615E188566F27C8F9556770C5C506B54696172
Malicious:	true
Preview:	wb.(...s..$z}..p.X..U.8..-).y'"......./.1.$.o..+.?J6..#m.).....?.g.\|..5v.$.}.fF'.t...c.........7.L..l-$:.kP6....I."vp!.h.E2..(..k....^...R.9..kls...J...D....[..w..l1.....r+.3?...dd....e..c.....(.&}.....H1L.^<`Z-.H.,..3J...@...j..BrZ.$?K.....I!.....`.-.(aO.z.Z..Q.=..aGmU.or.#,^..N.7.i.'pA.o.2w.!.............>x...f?....Io ....Ms..Q...P.d.W0.....p.N.....fH.Lt.;J.bX..7...s...R.:1.i..odf......;.E.k..K......G%S./.%.^+il..4...IjC.c...o.g..AU.a\|2M7...V.Y.N...../....[.o."T=.C.......".....4\|t..'x...S_...6.m.clf..[U....u,-.?.).8..P.....ax.Kc..f....Z)..Uf....7.6?.P.O2....Y.'.Q...G.J&....h.;x....6(........8.l...".@.v`B._>Q....._....g..e.)..y..I&..]}.G.Z.f..j..Y.K.(..{...\|g.f.6......X....j....X..K.J.?NL5..p.o.......m...O.]_./A..@F..O...].9A>.oi..xN...h.$?:.+4...n...2+N...........'P..vG../R ..j..G...&.......U{.b..r...r.t..f.D...D...P..6......ps#.Y...H3..e.....<6...'.[f....s....`.0.#7z).65..[.'~.p-.5...&[.U.2..P.U.*..".95..."...,:.3L#.7.}g.i....v

C:\Users\user\Desktop\rabbit_396521084417386.decrypt

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	114
Entropy (8bit):	5.014350598248141
Encrypted:	false
SSDEEP:	3:b7JGNHDxSlUVbjXkNOVH+CdmGQRdRWCcVGUEmOvn:3JGxUlUVPX7HdIcVGfmOvn
MD5:	F25322C7D21CA44A505183743DB1C828
SHA1:	C21CB426D67FE025DC27606F836103FD25DF9C10
SHA-256:	31CD4019DC32F278D1E4D1970798BA9E433B02975B34384C0A4ECE5CF5C1F04B
SHA-512:	A8F8361EC97683A120696DBA0655F5FB117612A86EDA3A5D0D6354EF395E18155181FF1A6919AA4E5C2A1F642DF54ED03ED4C6A86F49597EFA6CAC274EE6606B
Malicious:	false
Preview:	Your ID: YUTPW48prqskALz7Hr5Uw82skEpcrd..Your Decryption Key: 90899701278833012928497892775548437719056154116586..

C:\Users\user\Desktop\rabbit_396521084417386.decrypt.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	128
Entropy (8bit):	6.476409765557392
Encrypted:	false
SSDEEP:	3:3HMDNuYh9EP13E8QVBkvT6/7ADNgvmThhkl5RluLtEgn4aB:cDMM9EP13E8kkvTTT3IyLOg4aB
MD5:	47DBAEE6BD0F8CF167F0E6EF22902C15
SHA1:	4DBF7820A86C805F077532EFE793D04BD589574A
SHA-256:	4D8DC68931EC76119924B7F8C41EF3334523DE8B674AA724B594B1435A78B8B4
SHA-512:	C8E75DD7D0076C03554BBD3394C5F3A47F42E520ED4823FC70FCD7C3C792B8B4034D9093C44591AEC9740CB45D900CE10C38489F5BE429BFC227E0215A5C6F62
Malicious:	false
Preview:	.....PJ.....=...yf!....3...2..z.!.u.dD..>.'.......%....../.N~.L..hWN.Z..<v..6....<_...D...z[.j.^BZ.d...n..*..Q.9.9.=.y..h...

C:\Users\user\Desktop\rabbit_396521084417386.time

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:Jovn:Y
MD5:	30FB76AEB44DBCC2FEF88AB066D55AC6
SHA1:	85F72CA5E51255CD2F7E96376E26472A31ABB62C
SHA-256:	E2BB232CAC786F7284BB237D193407E94F32EE0FBF64D27D0AE8B1642DE44923
SHA-512:	03D83139055E3B4C62D5CD5EE42FF767491AB4EB5315DD8872FD24C3B7E4BACCCBDA36256EA080BDC09B66678CE3875690F68AFA68D45519FAEEA2738728C1F6
Malicious:	false
Preview:	15..

C:\Users\user\Desktop\rabbit_396521084417386.time.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.875
Encrypted:	false
SSDEEP:	3:W7egowwhQj:Wag7oQj
MD5:	842A057071A1760E4C2241897B4DE8B7
SHA1:	87D15A763CED5C3C22CF0D7FBB28E861E457CBEE
SHA-256:	226D7B040FD0A61D6FE8D75BDFAFBB9E7D312EEDAB4ACF07B6B30EFC136D2946
SHA-512:	B9E81CCFDC4D922D803D2F5DEBD64B8064F35B7B8DE2DC5C47E34DA4DC08646BC7CF7A3784A6291AABE29068F310219561EA6345F188C3F580B37C5A32CC5328
Malicious:	false
Preview:	&..e{..J...q.}.

C:\Users\user\Desktop\rabbit_YUTPW48prqskALz7Hr5Uw82skEpcrd.php

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PHP script, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	479
Entropy (8bit):	5.265920449788975
Encrypted:	false
SSDEEP:	6:xrIQGSIO6w6kliMhUAL7vmGEMvVG4ASw/+KRKZ+KD7vmAEMvYryVmpwroUigy5d2:xr7Z6ODLyhFowmiayAEt/pI659c
MD5:	CA6C8DEC641C6DB87BC60C256F63FBF6
SHA1:	8F16CA06EFA197572D84C9A6580C1D4008549814
SHA-256:	974BAF3E4F3C30EB65F5CD108A6D3AB0CC302200253CAEA055E18803DE2BF7B1
SHA-512:	433F26BBA87944F7A8FABE2BCFF266DC3E885BF61D9DFFA3510BB020A74E717C035F1BB836B34D54F5FCB572705FB9F2539BACE6A1B5E53CC8270BAE08841E5F
Malicious:	false
Preview:	<?php..$sPath = __DIR__ . '/rabbit_396521084417386.time';..if(isset($_GET['sec'])&&is_numeric($_GET['sec'])) {..$hFile = fopen($sPath, 'c') or die('error1');..flock($hFile, LOCK_EX) or die('error2');..ftruncate($hFile, 0) or die('error3');..fwrite($hFile, $_GET['sec']) or die('error3');..flock($hFile, LOCK_UN) or die('error5');..fclose($hFile) or die('error6');..print('ok');..} else {..if(!file_exists($sPath)){..print('0');..exit();..}..print(file_get_contents($sPath));..}..

C:\Users\user\Desktop\rabbit_YUTPW48prqskALz7Hr5Uw82skEpcrd.php.killrabbit

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	480
Entropy (8bit):	7.533566820901721
Encrypted:	false
SSDEEP:	12:i/4FrsyIX8OFKP00RFfXjWjk0x7HJ51Ot/FVJz+JcEa+ZyytnK5:igFR0kRFfY/7p5IttVI68ta
MD5:	27E109A30B842928AA8ACDF31C7089CF
SHA1:	B802DA36CC9429C2E8C2E926C83152619144AD01
SHA-256:	BC620BCD9C2EE64E3708788479E373006FAD775C0D4769B47A1AD44986D7FB7A
SHA-512:	3F10C4E75C66658B4D4279A666D6BC45085CC28E76195AAA1A7D2EF3BD42223300A33AA5050CA10E336003C30532BDE5D3BF7F8524D0AEA99411A40946CF8D7A
Malicious:	false
Preview:	.!..WG...Lf.....PNUOMt.PL....-3jR.+....'n.Cx.?xI....z1.]...s.&..9.O.=.......I..8\HI.O......."E.`.d...C.\|.Q..c..Yt.Y...-...\|...B.... ....A....&h.e.X0#.M..R9...C..[...`..`Z..T.}..r.&,V...../..X........w...f*.C..Pl.YY.%..X.W...jh...K..a.E.]h(.....Y..,.....P....X;.Z.}..e.3......../.A.......x.d-K ...<{...FbUo}.e.G......${..<.......[.$.....3....g...#.&....l..w.....Q..!.&'. ..Q.df..ct...=.....[..8~....M...Z.J.....w..w.....I.......Y.....i.;u.\|.4..Ld..>Y..F...)n..A

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.930470619153344
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'009'666 bytes
MD5:	7b793a4247b701bd24c86920b237acd0
SHA1:	2ae32267f8cfcc4b602b7de555d91ddd82eb4d09
SHA256:	d4eb98701bc0c33b5f9c3e202bf55c1b2e2cb1c1e4b7c81ad6305d7938d0f959
SHA512:	acd7d553da911e61ab55c537954be38249a3d11348964c5deb60ebc70e9a29d27356b57045eb1a700d6a2d7c13ce13c7c15cfb6bfbc7d7771cc7532f9e65bbce
SSDEEP:	24576:WCdxte/80jYLT3U1jfsWaqP0/NHxkzK2QV:fw80cTsjkWaqIHxaMV
TLSH:	6525BE2273DDC370CB669173BF69B7016EBF38614630B95B2F880D7DA950162262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427f4a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x5B6725B5 [Sun Aug 5 16:28:37 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FF380EADA2Dh
jmp 00007FF380EA07F4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FF380EA097Ah
cmp edi, eax
jc 00007FF380EA0CDEh
bt dword ptr [004C31FCh], 01h
jnc 00007FF380EA0979h
rep movsb
jmp 00007FF380EA0C8Ch
cmp ecx, 00000080h
jc 00007FF380EA0B44h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FF380EA0980h
bt dword ptr [004BE324h], 01h
jc 00007FF380EA0E50h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FF380EA0B1Dh
test edi, 00000003h
jne 00007FF380EA0B2Eh
test esi, 00000003h
jne 00007FF380EA0B0Dh
bt edi, 02h
jnc 00007FF380EA097Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FF380EA0983h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FF380EA09D5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x2dec4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf5000	0x7130	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dd2e	0x8de00	c2c2260508750422d20cd5cbb116b146	False	0.5729952505506608	data	6.675875439961112	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	4513b58651e3d8d87c81a396e5b2f1d1	False	0.3353340955284553	OpenPGP Public Key	5.760731648769018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	c2de4a3d214eae7e87c7bfc06bd79775	False	0.1017530487804878	data	1.1988106744719143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x2dec4	0x2e000	683c1177b261f333407923a767a540f2	False	0.8603462550951086	data	7.725257406940883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf5000	0x7130	0x7200	1254908a9a03d2bcf12045d49cd572b9	False	0.7703536184210527	data	6.782377328042204	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc74a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc75c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc78b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc79d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc9690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbc38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xccce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xcd148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcd6dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcdd68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xce7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcee50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf410	0x25550	data			1.0003662237103694
RT_GROUP_ICON	0xf4960	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xf49d8	0x14	data	English	Great Britain	1.15
RT_VERSION	0xf49ec	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf4ac8	0x3fa	ASCII text, with CRLF line terminators	English	Great Britain	0.5068762278978389

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	10:13:46
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xb90000
File size:	1'009'666 bytes
MD5 hash:	7B793A4247B701BD24C86920B237ACD0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	143

Executed Functions

Function 00B93B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B93B7A
IsDebuggerPresent.KERNEL32 ref: 00B93B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00C552F8,00C552E0,?,?), ref: 00B93BFD

Part of subcall function 00B97D2C: _memmove.LIBCMT ref: 00B97D66

Part of subcall function 00BA0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00B93C26,00C552F8,?,?,?), ref: 00BA0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00B93C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00C47770,00000010), ref: 00BCD3EC
SetCurrentDirectoryW.KERNEL32(?,00C552F8,?,?,?), ref: 00BCD424
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00C44260,00C552F8,?,?,?), ref: 00BCD4AA
ShellExecuteW.SHELL32(00000000,?,?), ref: 00BCD4B1

Part of subcall function 00B93A58: GetSysColorBrush.USER32(0000000F), ref: 00B93A62
Part of subcall function 00B93A58: LoadCursorW.USER32(00000000,00007F00), ref: 00B93A71
Part of subcall function 00B93A58: LoadIconW.USER32(00000063), ref: 00B93A88
Part of subcall function 00B93A58: LoadIconW.USER32(000000A4), ref: 00B93A9A
Part of subcall function 00B93A58: LoadIconW.USER32(000000A2), ref: 00B93AAC
Part of subcall function 00B93A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B93AD2
Part of subcall function 00B93A58: RegisterClassExW.USER32(?), ref: 00B93B28

Part of subcall function 00B939E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B93A15
Part of subcall function 00B939E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B93A36
Part of subcall function 00B939E7: ShowWindow.USER32(00000000,?,?), ref: 00B93A4A
Part of subcall function 00B939E7: ShowWindow.USER32(00000000,?,?), ref: 00B93A53

Part of subcall function 00B943DB: _memset.LIBCMT ref: 00B94401
Part of subcall function 00B943DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B944A6

Strings

runas, xrefs: 00BCD4A5
This is a third-party compiled AutoIt script., xrefs: 00BCD3E4

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 3c8d317c9432aa748cca1e1b9da0796c35ab1c7defe6a4d9ba1958c9d8b0f016
Instruction ID: 95074c4c4eec41ec9ae9dfed357853bd6b264deff8b92d1371256bed250a9eb8
Opcode Fuzzy Hash: 3c8d317c9432aa748cca1e1b9da0796c35ab1c7defe6a4d9ba1958c9d8b0f016
Instruction Fuzzy Hash: B551C278908748AACF11EBB49C55FFD7BF8EF45701F0081F9F851B22A1DA705A868B25

Function 00B94AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B94B2B

Part of subcall function 00B97D2C: _memmove.LIBCMT ref: 00B97D66

GetCurrentProcess.KERNEL32(?,00C1FAEC,00000000,00000000,?), ref: 00B94BF8
IsWow64Process.KERNEL32(00000000), ref: 00B94BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00B94C45
FreeLibrary.KERNEL32(00000000), ref: 00B94C50
GetSystemInfo.KERNEL32(00000000), ref: 00B94C81
GetSystemInfo.KERNEL32(00000000), ref: 00B94C8D

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 49882db368a210f7750f7e61d7f97dd38e7dfd3842968b094da274622407125d
Instruction ID: f8ed0f679c4646fe42a950087c66ca82e9465332a31cb1a68c54d4732a1a5c21
Opcode Fuzzy Hash: 49882db368a210f7750f7e61d7f97dd38e7dfd3842968b094da274622407125d
Instruction Fuzzy Hash: F691B43154A7C4DECB31DB688591AAAFFE4EF26300B5849FDE0CA83A41D324E949D719

Function 00BF3B56 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B948A1,?,?,00B937C0,?), ref: 00B948CE

Part of subcall function 00BF4AD8: GetFileAttributesW.KERNELBASE(?,00BF374F), ref: 00BF4AD9

FindFirstFileW.KERNELBASE(?,?), ref: 00BF3BCD
DeleteFileW.KERNELBASE(?,?,?,?), ref: 00BF3C1D
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00BF3C2E
FindClose.KERNEL32(00000000), ref: 00BF3C45
FindClose.KERNEL32(00000000), ref: 00BF3C4E

Strings

\*.*, xrefs: 00BF3B9F

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 1a49be0932aedcd58e8c49ae132665f8a72a38116f0b0399c3402ab4c5bf4480
Instruction ID: ac7367c7abeba2a1461aefa4164901e5566115ac66930e2d9d68429e119a8e02
Opcode Fuzzy Hash: 1a49be0932aedcd58e8c49ae132665f8a72a38116f0b0399c3402ab4c5bf4480
Instruction Fuzzy Hash: 2B318D3104C345ABC611EF64C8959AFB7E8BE96700F444EADF5D1931A1EB209A0DC762

Function 00B94FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00B94EEE,?,?,00000000,00000000), ref: 00B94FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B94EEE,?,?,00000000,00000000), ref: 00B95010
LoadResource.KERNEL32(?,00000000,?,?,00B94EEE,?,?,00000000,00000000,?,?,?,?,?,?,00B94F8F), ref: 00BCDC90
SizeofResource.KERNEL32(?,00000000,?,?,00B94EEE,?,?,00000000,00000000,?,?,?,?,?,?,00B94F8F), ref: 00BCDCA5
LockResource.KERNEL32(00B94EEE,?,?,00B94EEE,?,?,00000000,00000000,?,?,?,?,?,?,00B94F8F,00000000), ref: 00BCDCB8

Strings

SCRIPT, xrefs: 00B95006

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 3f7d1f1cc6450e0057f8aaa7eed7e9dc5fd501e79d511448ce099e5eb85b47b2
Instruction ID: f5bc227752023c7c777d90f3cd63cff21d028162c9955ca3007b10a0875a60f3
Opcode Fuzzy Hash: 3f7d1f1cc6450e0057f8aaa7eed7e9dc5fd501e79d511448ce099e5eb85b47b2
Instruction Fuzzy Hash: F4115E75240704BFEB328B65DC48F6B7BB9FBCAB11F1081BCF40586260DBB1E8018660

Function 00BFBD48 Relevance: 7.6, APIs: 5, Instructions: 143
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 00BFBD72
_wcscmp.LIBCMT ref: 00BFBDA2
_wcscmp.LIBCMT ref: 00BFBDB7
FindNextFileW.KERNELBASE(00000000,?), ref: 00BFBDC8
FindClose.KERNELBASE(00000000,00000001,00000000), ref: 00BFBDF8

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: d245c331ac440b9c54bbe55401b934b7da3d263ec51f676c2a5db3c9fa7664f7
Instruction ID: 10273eaa7250e753f7ac26fc041be2c4c7832a9ea121fb44430093165788449b
Opcode Fuzzy Hash: d245c331ac440b9c54bbe55401b934b7da3d263ec51f676c2a5db3c9fa7664f7
Instruction Fuzzy Hash: 7051AF396046069FC714DF68C490EAAB3E4FF49320F1449ADFA5A873A1DB70ED09CB91

Function 00B9FE40 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: c031b800ebef5091cf4e6ed596c3bcaf46d834f7b75ebc3ee3fbed67c505c3f0
Instruction ID: 437a8e4594e6c656ea92dcc96c476fef73a0ab95bd17340cb52589df2dbc3f4b
Opcode Fuzzy Hash: c031b800ebef5091cf4e6ed596c3bcaf46d834f7b75ebc3ee3fbed67c505c3f0
Instruction Fuzzy Hash: 84924A746183419FDB24EF18C480B6AB7E1FF89304F1489ADE88A9B351E775EC45CB92

Function 00BF449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00BCE6F1), ref: 00BF44AB
FindFirstFileW.KERNEL32(?,?), ref: 00BF44BC
FindClose.KERNEL32(00000000), ref: 00BF44CC

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 39541ac1d0df3d6998ef9578cf1848895789edd37f012d2e55c0f1c006792b05
Instruction ID: be8300050ace439a463ecef8a886c0641b0fd5cc4547fc11e6d72b8728b149fe
Opcode Fuzzy Hash: 39541ac1d0df3d6998ef9578cf1848895789edd37f012d2e55c0f1c006792b05
Instruction Fuzzy Hash: C3E0D831810814575210A738EC4D6FF779CFE06335F104759FA35D22E0EB7499148595

Function 00B9E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19279eaa295bba97edf01974a0c50d789e0ba0e91f468ef191a9295521ee7f9
Instruction ID: 71b2ce50a9cad34787b0bf64326f964c02ff912c91a1e28a6f06e34f7cc740a9
Opcode Fuzzy Hash: f19279eaa295bba97edf01974a0c50d789e0ba0e91f468ef191a9295521ee7f9
Instruction Fuzzy Hash: 53225870A04216DFDF24DF54C481ABEB7F0FB08310F1485AAE866AB352E775E985CB91

Function 00BFC75D Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 00BFC787
FindClose.KERNEL32(00000000), ref: 00BFC7B7

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ddea56145f3121c55b6a2e9c2b1c9b750fb6b934663c4d81dbb4972ad1fce6ed
Instruction ID: 92f7376c28c2a5dd7d1e87ea550306d75931c773bbb4355ccbbb212007bbd825
Opcode Fuzzy Hash: ddea56145f3121c55b6a2e9c2b1c9b750fb6b934663c4d81dbb4972ad1fce6ed
Instruction Fuzzy Hash: 9211A1326106049FDB10EF29C845A2EF7E8FF94320F00856EF9A9D72A1DB30AC05CB81

Function 00B9E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00BD41BB

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 8ed91763c7d6e5206a075e5d499dc0fae53f26dc9c8544ecbe14453f64c35bf9
Instruction ID: bc200e5a026f968d2270f7ad9cca5f9db13a90e1efec436da1155a543c7290d9
Opcode Fuzzy Hash: 8ed91763c7d6e5206a075e5d499dc0fae53f26dc9c8544ecbe14453f64c35bf9
Instruction Fuzzy Hash: 75A24874A00215CBCF24CF58C4C0AAEB7F1FB59310F6481AAE926AB351D775ED86CB91

Function 00BA0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BA0BBB
timeGetTime.WINMM ref: 00BA0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BA0FB3
Sleep.KERNEL32(0000000A), ref: 00BA0FC1
LockWindowUpdate.USER32(00000000,?,?), ref: 00BA105A
DestroyWindow.USER32 ref: 00BA1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BA1080
Sleep.KERNEL32(0000000A,?,?), ref: 00BD51DC
TranslateMessage.USER32(?), ref: 00BD5FB9
DispatchMessageW.USER32(?), ref: 00BD5FC7
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BD5FDB

Strings

@GUI_WINHANDLE, xrefs: 00BD52E8
@TRAY_ID, xrefs: 00BD5AE8
@GUI_CTRLHANDLE, xrefs: 00BD533D
@GUI_CTRLID, xrefs: 00BD5293
@COM_EVENTOBJ, xrefs: 00BD5849

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 27216bfed97e5254d4d16128904c1587e4edb9f4a57ca2d24466629a73497d26
Instruction ID: 8dcffdab43ee31d4742808dad485c707aa1690cc43e28fe6be5cd37360176b08
Opcode Fuzzy Hash: 27216bfed97e5254d4d16128904c1587e4edb9f4a57ca2d24466629a73497d26
Instruction Fuzzy Hash: F5B28E70608741DFDB34DB24C884BAEF7E5FB85304F1449AEE49A972A1DB71E845CB82

Function 00B93017 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B93074
RegisterClassExW.USER32(00000030), ref: 00B9309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B930AF
InitCommonControlsEx.COMCTL32(?), ref: 00B930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B930DC
LoadIconW.USER32(000000A9), ref: 00B930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B93101

Strings

0, xrefs: 00B93056
TaskbarCreated, xrefs: 00B930A4
+, xrefs: 00B9305D
AutoIt v3 GUI, xrefs: 00B93090

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c990c121a937923bdfc2b3d60f7eb74a7a98cefa41c7f384a97f3d9063ff2411
Instruction ID: fff3e6b3e20872f9d67ecee6f36b85fb2b21bcbeefb98789c6b50b70816358b1
Opcode Fuzzy Hash: c990c121a937923bdfc2b3d60f7eb74a7a98cefa41c7f384a97f3d9063ff2411
Instruction Fuzzy Hash: 563149B5841309AFDB00CFA4E8987DDBBF0FB09311F10816EE980A62A1D3B50582CF91

Function 00B93041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B93074
RegisterClassExW.USER32(00000030), ref: 00B9309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B930AF
InitCommonControlsEx.COMCTL32(?), ref: 00B930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B930DC
LoadIconW.USER32(000000A9), ref: 00B930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B93101

Strings

0, xrefs: 00B93056
TaskbarCreated, xrefs: 00B930A4
+, xrefs: 00B9305D
AutoIt v3 GUI, xrefs: 00B93090

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9ac6dd20517126fc0da56faf672d8a7903679444299e9ddaa74245b781550fe6
Instruction ID: 0ed6b875539776b28f4166c056d603e299809d8e1a9965ba9ea40ac1000bf57a
Opcode Fuzzy Hash: 9ac6dd20517126fc0da56faf672d8a7903679444299e9ddaa74245b781550fe6
Instruction Fuzzy Hash: 7021C2B5D51718AFDB00DFA4EC89BDDBBF4FB09711F00812AF914A62A0D7B145858F91

Function 00B971EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B94864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C552F8,?,00B937C0,?), ref: 00B94882

Part of subcall function 00BB068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00B972C5), ref: 00BB06AD

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B97308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BCEC21
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BCEC62
RegCloseKey.ADVAPI32(?), ref: 00BCECA0
_wcscat.LIBCMT ref: 00BCECF9

Strings

Software\AutoIt v3\AutoIt, xrefs: 00B972FE
Include, xrefs: 00BCEC18, 00BCEC59
\, xrefs: 00BCED1C
\Include\, xrefs: 00B972C5

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: b7ad3e71f3ec43d7e66fc66a5f004b974d74714aec6a4cb0f55a887d65d0de1f
Instruction ID: 752401c962ba9d23ab569e78747ee4ee4a70897b202abe7501a3cb2048030463
Opcode Fuzzy Hash: b7ad3e71f3ec43d7e66fc66a5f004b974d74714aec6a4cb0f55a887d65d0de1f
Instruction Fuzzy Hash: B17169755193019ECB14EF25EC81AAFBBE8FF99300F80497EF455931A0DB709989CB52

Function 00BFA931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CharLowerBuffW.USER32(?,?,00C1F910), ref: 00BFA995
GetDriveTypeW.KERNELBASE(00000061,00C489A0,00000061), ref: 00BFAA5F
_wcscpy.LIBCMT ref: 00BFAA89

Strings

fixed, xrefs: 00BFA9DD
network, xrefs: 00BFA9F3
ramdisk, xrefs: 00BFAA09
removable, xrefs: 00BFA9C7
unknown, xrefs: 00BFAA20
all, xrefs: 00BFA99B
cdrom, xrefs: 00BFA9B1

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 0130287b8ae36e996f179aca853fc25c8af83e53af60583893b9a43b0108b7a0
Instruction ID: 919b40fdbe2bf7553646892fef24571c47ba67eb05ac913743cba13562a43548
Opcode Fuzzy Hash: 0130287b8ae36e996f179aca853fc25c8af83e53af60583893b9a43b0108b7a0
Instruction Fuzzy Hash: 71519B701183059BCB18EF14C8D1ABEBBE5FF94300F5049ADF69A572A2DB71990DCA53

Function 00B93A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B93A62
LoadCursorW.USER32(00000000,00007F00), ref: 00B93A71
LoadIconW.USER32(00000063), ref: 00B93A88
LoadIconW.USER32(000000A4), ref: 00B93A9A
LoadIconW.USER32(000000A2), ref: 00B93AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B93AD2
RegisterClassExW.USER32(?), ref: 00B93B28

Part of subcall function 00B93041: GetSysColorBrush.USER32(0000000F), ref: 00B93074
Part of subcall function 00B93041: RegisterClassExW.USER32(00000030), ref: 00B9309E
Part of subcall function 00B93041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B930AF
Part of subcall function 00B93041: InitCommonControlsEx.COMCTL32(?), ref: 00B930CC
Part of subcall function 00B93041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B930DC
Part of subcall function 00B93041: LoadIconW.USER32(000000A9), ref: 00B930F2
Part of subcall function 00B93041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B93101

Strings

#, xrefs: 00B93B0D
AutoIt v3, xrefs: 00B93B17
0, xrefs: 00B93B06

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: bd42c6b1bb9a52910172985a061d48ee16c9b1bf1204814db7e62ceddf8c1c83
Instruction ID: 5df6cfb9361e2a67c4062fc8eee240c3f99a63272a65e1baefd14012ad6de062
Opcode Fuzzy Hash: bd42c6b1bb9a52910172985a061d48ee16c9b1bf1204814db7e62ceddf8c1c83
Instruction Fuzzy Hash: C8215578910308AFEB10DFA4EC19B9D7BF0FB08712F00416AE504BA2A1D7B55A808F84

Function 00BB6F80 Relevance: 16.8, APIs: 11, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00BB6FBB

Part of subcall function 00BB8CA8: __getptd_noexit.LIBCMT ref: 00BB8CA8

__gmtime64_s.LIBCMT ref: 00BB7054
__gmtime64_s.LIBCMT ref: 00BB708A
__gmtime64_s.LIBCMT ref: 00BB70A7
__allrem.LIBCMT ref: 00BB70FD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BB7119
__allrem.LIBCMT ref: 00BB7130
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BB714E
__allrem.LIBCMT ref: 00BB7165
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BB7183
__invoke_watson.LIBCMT ref: 00BB71F4

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: 621711a56ea9c20d09cf25c5e5a0911c86e3d4b1cd8a00931acbaaa09f2a58c6
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 6871D871A44716ABE714AE6DCC41BFAB3F8EF54724F1441AAF414E7281EBB4DE4087A0

Function 00B93633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00B936D2
KillTimer.USER32(?,00000001), ref: 00B936FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B9371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B9372A
CreatePopupMenu.USER32 ref: 00B9373E
PostQuitMessage.USER32(00000000), ref: 00B9375F

Strings

TaskbarCreated, xrefs: 00B93725

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: e0ffb15f2d91f8cff186079cc7a3c0cb8995e703ac30ed5f889dac20da09c4a5
Instruction ID: ce163a1cbe322e33b9e3697e87b4bf06015dfd87b62689cfe1be3c943ab6640c
Opcode Fuzzy Hash: e0ffb15f2d91f8cff186079cc7a3c0cb8995e703ac30ed5f889dac20da09c4a5
Instruction Fuzzy Hash: CC4159F9208605BBDF105FA8DC49FBE37D4EB01701F1441B8FA02A62E1CB64DE859762

Function 00B93778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 00B93834
/ErrorStdOut, xrefs: 00B9388F
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00B937C0
/AutoIt3ExecuteLine, xrefs: 00B938B9
/AutoIt3ExecuteScript, xrefs: 00B938CE
CMDLINERAW, xrefs: 00B9380D
/AutoIt3OutputDebug, xrefs: 00B938A4

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: e5554ae1caaa554cce6824c04e9a4ba056c8af71c64f0a0fd747b1ffbcd01690
Instruction ID: cb1770f4c261352d87a58dda94b5d79244463eb677c5b5237ddfd3a7ee320eff
Opcode Fuzzy Hash: e5554ae1caaa554cce6824c04e9a4ba056c8af71c64f0a0fd747b1ffbcd01690
Instruction Fuzzy Hash: 25A16B76910229AACF14EBA4CC92EEEB7F8BF14700F4400B9E416B7191EF745A49CB60

Function 00B939E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B93A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B93A36
ShowWindow.USER32(00000000,?,?), ref: 00B93A4A
ShowWindow.USER32(00000000,?,?), ref: 00B93A53

Strings

edit, xrefs: 00B93A30
AutoIt v3, xrefs: 00B93A0D, 00B93A12, 00B93A13

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 62668d14809ff36c9fd327f3fba5c3931fcf7f1bb11e0791eea7db691fe2772a
Instruction ID: c46751389e56dad65430f18a596836f601f59585248f3e1b19131d51f10ad20a
Opcode Fuzzy Hash: 62668d14809ff36c9fd327f3fba5c3931fcf7f1bb11e0791eea7db691fe2772a
Instruction Fuzzy Hash: 9BF017785407907EEA215723AC18F6F2E7DE7C7F51F01402EB908B21A0C6A11882DBB0

Function 00B969CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B94F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B94F6F

_free.LIBCMT ref: 00BCE5BC
_free.LIBCMT ref: 00BCE603

Part of subcall function 00B96BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B96D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00BCE392
Bad directive syntax error, xrefs: 00BCE5EB

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 278deb3c239f8e2b5d734c9a62aa4f5eeafa7b8fe2dd962616bc7540e96ca8d1
Instruction ID: 82369f177920ea54bd9971f9792a26f567c0adb9928af7bbeaf61da4cb99eafb
Opcode Fuzzy Hash: 278deb3c239f8e2b5d734c9a62aa4f5eeafa7b8fe2dd962616bc7540e96ca8d1
Instruction Fuzzy Hash: 64912A71914219EFCF14EFA4C891AEDB7F4FF19314B1444A9F825AB2A1EB30E945CB60

Function 00B935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00B935A1,SwapMouseButtons,00000004,?), ref: 00B935D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00B935A1,SwapMouseButtons,00000004,?,?,?,?,00B92754), ref: 00B935F5
RegCloseKey.KERNELBASE(00000000,?,?,00B935A1,SwapMouseButtons,00000004,?,?,?,?,00B92754), ref: 00B93617

Strings

Control Panel\Mouse, xrefs: 00B935D2

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 2b0ba4ac8b17c2a817d3515c9fb5729c5caa2de8283b061227bfb61fcacb9d5d
Instruction ID: addf287e25430a9fd3bd19dd6119fc9f3de27acdf9e931fe56935315f5a9f676
Opcode Fuzzy Hash: 2b0ba4ac8b17c2a817d3515c9fb5729c5caa2de8283b061227bfb61fcacb9d5d
Instruction Fuzzy Hash: 93111875519218BFDF20CFA8DC84AEEBBF8EF05B40F1185A9E805D7210D6719F519760

Function 00BF9604 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00B95045: _fseek.LIBCMT ref: 00B9505D

Part of subcall function 00BF97DD: _wcscmp.LIBCMT ref: 00BF98CD
Part of subcall function 00BF97DD: _wcscmp.LIBCMT ref: 00BF98E0

_free.LIBCMT ref: 00BF974B
_free.LIBCMT ref: 00BF9752
_free.LIBCMT ref: 00BF97BD

Part of subcall function 00BB2ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00BB9BA4), ref: 00BB2EE9
Part of subcall function 00BB2ED5: GetLastError.KERNEL32(00000000,?,00BB9BA4), ref: 00BB2EFB

_free.LIBCMT ref: 00BF97C5

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: a87b705b3ae5ae33e206766d6325fe0730d82beb17e6b297fdaebfaef393be7f
Instruction ID: de543ac01d003565d4247f94ca09d60ca6d10d0de1a1c89a5d914ee1e45d6ddc
Opcode Fuzzy Hash: a87b705b3ae5ae33e206766d6325fe0730d82beb17e6b297fdaebfaef393be7f
Instruction Fuzzy Hash: 0F515CB1D04618AFDF249F65DC81AAEBBB9EF48300F1045EEB609A7241DB715E84CF58

Function 00B94531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B94560

Part of subcall function 00B9410D: _memset.LIBCMT ref: 00B9418D
Part of subcall function 00B9410D: _wcscpy.LIBCMT ref: 00B941E1
Part of subcall function 00B9410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B941F1

KillTimer.USER32(?,00000001,?,?), ref: 00B945B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B945C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BCD5FE

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 26e2e24ba1f03710990de0d7903a91814671aada0635683ad7f70a7ab1c13470
Instruction ID: 9b5e195ff0ad58fc7d8021a5a2e4978d77b967017b7e98d74e06ddd2e816dce9
Opcode Fuzzy Hash: 26e2e24ba1f03710990de0d7903a91814671aada0635683ad7f70a7ab1c13470
Instruction Fuzzy Hash: E321AA745047849FEB328B74D895FEBBBECEF12308F0400EEE69A56141D7745985CB51

Function 00B973E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BCED92
GetOpenFileNameW.COMDLG32(?), ref: 00BCEDDC

Part of subcall function 00B948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B948A1,?,?,00B937C0,?), ref: 00B948CE

Part of subcall function 00BB0911: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BB0930

Strings

X, xrefs: 00BCEDAA

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 8a00d901c1d6dd9dfba34c51c755e9b5fa7b5329ca1f451bd20e7e2bb63375b2
Instruction ID: a11d5d80ccd38cf2b52698615c06ba1149624a3615a649ec9e52c42e6f84712e
Opcode Fuzzy Hash: 8a00d901c1d6dd9dfba34c51c755e9b5fa7b5329ca1f451bd20e7e2bb63375b2
Instruction Fuzzy Hash: 3421A170A10258ABCF11DF94C845BEE7BF8AF49700F0040AAE409A7242DFF499898FA1

Function 00C0CBF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18bc07d59e04e35816f398279c78d15f8effebc60de17f4965d1a3b4378e283d
Instruction ID: e3d57521f9cba426dc33fdfaf0a8eab33162c8ae43fdd6d73d1295bef1afa225
Opcode Fuzzy Hash: 18bc07d59e04e35816f398279c78d15f8effebc60de17f4965d1a3b4378e283d
Instruction Fuzzy Hash: BDF13A715083019FCB14DF28C484A6ABBE5FF88314F14896EF8AA9B391D771E945CF82

Function 00B9F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB02E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BB0313
Part of subcall function 00BB02E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BB031B
Part of subcall function 00BB02E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BB0326
Part of subcall function 00BB02E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BB0331
Part of subcall function 00BB02E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BB0339
Part of subcall function 00BB02E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BB0341

Part of subcall function 00BA6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00B9FA90), ref: 00BA62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B9FB2D
OleInitialize.OLE32(00000000), ref: 00B9FBAA
CloseHandle.KERNEL32(00000000), ref: 00BD4921

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d03a899882e09c2aa38fbef0a05982ca4a22df4580e1e65f8fb6cd1831a8e713
Instruction ID: 08738ad7a2ccba1dbe776d8c8052cd5fc1282f03d05122fcae6c4db1b383ee4c
Opcode Fuzzy Hash: d03a899882e09c2aa38fbef0a05982ca4a22df4580e1e65f8fb6cd1831a8e713
Instruction Fuzzy Hash: 6981DAF8925B40CFCB80DF29A86432C7BE5FB98307794816A9409EB272EB7054C5CF14

Function 00BB588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00BB58A3

Part of subcall function 00BBA2EB: __NMSG_WRITE.LIBCMT ref: 00BBA312
Part of subcall function 00BBA2EB: __NMSG_WRITE.LIBCMT ref: 00BBA31C

__NMSG_WRITE.LIBCMT ref: 00BB58AA

Part of subcall function 00BBA348: GetModuleFileNameW.KERNEL32(00000000,00C533BA,00000104,?,00000001,00000000), ref: 00BBA3DA
Part of subcall function 00BBA348: ___crtMessageBoxW.LIBCMT ref: 00BBA488

Part of subcall function 00BB321F: ___crtCorExitProcess.LIBCMT ref: 00BB3225
Part of subcall function 00BB321F: ExitProcess.KERNEL32 ref: 00BB322E

Part of subcall function 00BB8CA8: __getptd_noexit.LIBCMT ref: 00BB8CA8

RtlAllocateHeap.NTDLL(01250000,00000000,00000001,00000000,?,?,?,00BB0F53,?), ref: 00BB58CF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: a07713afebd872844e314fc2576d72575eb8412060c7513f86694b626422ca15
Instruction ID: 2523ceea88f71f035e8af8fe5f00e9d2f8b0c384f9785916d2b962dfb245ee42
Opcode Fuzzy Hash: a07713afebd872844e314fc2576d72575eb8412060c7513f86694b626422ca15
Instruction Fuzzy Hash: D201F135240F01ABD6312774EC82BFE77C8DF82B61F1005A9F501AB1D2DEF08E408666

Function 00B9AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00BCFF5A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: b7beae620856b3f1a74f0684ddffb052f0f44486f4544c6e8072ff5ea04816d4
Instruction ID: 56cf4890b3bcabdc0c1566662c4d93beedff847196ed4704844bfd7a5c4a0cd6
Opcode Fuzzy Hash: b7beae620856b3f1a74f0684ddffb052f0f44486f4544c6e8072ff5ea04816d4
Instruction Fuzzy Hash: 442237705183119FCB24DF14C494B6ABBE1FF85304F1589ADE89A9B362D731EC85DB82

Function 00B94DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B94E1A

Strings

EA06, xrefs: 00BCDC25

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 160c646a10ab3f70252aac57a5894c161a4637242598c8a40763f907227aad5f
Instruction ID: 3e8ae2d7a5489106709291561d95fa9c0adba1f8665a23fa06e4a74e3b3d292c
Opcode Fuzzy Hash: 160c646a10ab3f70252aac57a5894c161a4637242598c8a40763f907227aad5f
Instruction Fuzzy Hash: 1D417C31A049585BCF2A9B648891FBF7FE6EF05300F2844F4E8829B282D7219D4783E1

Function 00BF6306 Relevance: 3.2, APIs: 2, Instructions: 216COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BF63DA
_memmove.LIBCMT ref: 00BF63F8

Part of subcall function 00BF6561: _memmove.LIBCMT ref: 00BF65EF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 125b0bbfa5f59846946235bf2c340a587090b67538f74ffc14dc26f96c2d54fb
Instruction ID: eb67eab448e586c720b60a6a380b3540a7e7683812d9bfb0cbd8bc3ae32ccb0c
Opcode Fuzzy Hash: 125b0bbfa5f59846946235bf2c340a587090b67538f74ffc14dc26f96c2d54fb
Instruction Fuzzy Hash: 0F71A27160021C9FCB24AF18C595BBE77E5EF54324F24859CEE962B392CB31AC09CB50

Function 00BF5C21 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00BF5C3A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: de43c76a53715a5d1b5b217838fd8aeadae4a5feb001a31b9b83ca33949098fc
Instruction ID: 58bda46cd34cba944797d612f21d64d8e5c2abf95354ce710516dc0898798eff
Opcode Fuzzy Hash: de43c76a53715a5d1b5b217838fd8aeadae4a5feb001a31b9b83ca33949098fc
Instruction Fuzzy Hash: A6415176600A0DAFDB259FA4C8819BAB7F8FB44350B1085BEE71697241EB709E49CB50

Function 00B9492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00B94992

Part of subcall function 00BB34EC: __lock.LIBCMT ref: 00BB34F2
Part of subcall function 00BB34EC: DecodePointer.KERNEL32(00000001,?,00B949A7,00BE7F9C), ref: 00BB34FE
Part of subcall function 00BB34EC: EncodePointer.KERNEL32(?,?,00B949A7,00BE7F9C), ref: 00BB3509

Part of subcall function 00B94A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B94A73
Part of subcall function 00B94A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B94A88

Part of subcall function 00B93B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B93B7A
Part of subcall function 00B93B4C: IsDebuggerPresent.KERNEL32 ref: 00B93B8C
Part of subcall function 00B93B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00C552F8,00C552E0,?,?), ref: 00B93BFD
Part of subcall function 00B93B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00B93C81

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00B949D2

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 086c4aee0c54c8731ad6d34a9c5ef3a078a9ba42e4a26b34c1232afdb1cb31fd
Instruction ID: e79258806590cb6a96eb1ab0fc33cbf310d8740fa8f70c7e40048ecaa7789e26
Opcode Fuzzy Hash: 086c4aee0c54c8731ad6d34a9c5ef3a078a9ba42e4a26b34c1232afdb1cb31fd
Instruction Fuzzy Hash: 22119D718143119FC700DF69DC45B5EFBE8EB84711F10856EF045A32B1DBB09A85CB96

Function 00B95DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00B95981,?,?,?,?), ref: 00B95E27
CreateFileW.KERNELBASE(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00B95981,?,?,?,?), ref: 00BCE0CC

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fb9ce625f8e4e664f950664cef7a292e8fb5391944737572e86b9fcbffb78f07
Instruction ID: e603812d1b92b255c0c9aa2d9f9a6de7aba1ce976e76187b2dd2497b6787b36d
Opcode Fuzzy Hash: fb9ce625f8e4e664f950664cef7a292e8fb5391944737572e86b9fcbffb78f07
Instruction Fuzzy Hash: A8019270284708BFFB350E24CC8AFA63ADCEB05768F10C368BAE55A1E0C6B15E458B54

Function 00BB0F36 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BB588C: __FF_MSGBANNER.LIBCMT ref: 00BB58A3
Part of subcall function 00BB588C: __NMSG_WRITE.LIBCMT ref: 00BB58AA
Part of subcall function 00BB588C: RtlAllocateHeap.NTDLL(01250000,00000000,00000001,00000000,?,?,?,00BB0F53,?), ref: 00BB58CF

std::exception::exception.LIBCMT ref: 00BB0F6C
__CxxThrowException@8.LIBCMT ref: 00BB0F81

Part of subcall function 00BB871B: RaiseException.KERNEL32(?,?,?,00C49E78,00000000,?,?,?,?,00BB0F86,?,00C49E78,?,00000001), ref: 00BB8770

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: ebbd8ab320db6575d6b6d873c62fc5a7025a5f6543e6566bf083a9688bf84b44
Instruction ID: 82813f53a7b7bb8b5477a1d2c5beaf9f50c24aaa8f276af4ad2734add39d26bb
Opcode Fuzzy Hash: ebbd8ab320db6575d6b6d873c62fc5a7025a5f6543e6566bf083a9688bf84b44
Instruction Fuzzy Hash: EAF08C716142296BCB20FA98EC51AFF7BECEF00750F5004A6F90996692EFF08A50D6D1

Function 00BB5516 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BB8CA8: __getptd_noexit.LIBCMT ref: 00BB8CA8

__lock_file.LIBCMT ref: 00BB555B

Part of subcall function 00BB6D8E: __lock.LIBCMT ref: 00BB6DB1

__fclose_nolock.LIBCMT ref: 00BB5566

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 90398c016d304feda47fb711515a01bf3ea7cac9f35a5558890bd8ad631818cf
Instruction ID: 78922a03568b8d0e0d251f59f327251498fc25271ba80b7e1e993a1e076faf27
Opcode Fuzzy Hash: 90398c016d304feda47fb711515a01bf3ea7cac9f35a5558890bd8ad631818cf
Instruction Fuzzy Hash: 00F09071901A009BD7306B7988027FE67E6AF50332F148289B415AB1C5CBFC9A42DB53

Function 00BC3E3C Relevance: 3.0, APIs: 2, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00BC3E53

Part of subcall function 00BB9D8B: __mtinitlocknum.LIBCMT ref: 00BB9D9D
Part of subcall function 00BB9D8B: EnterCriticalSection.KERNEL32(00000000,?,00BB9BFC,0000000D), ref: 00BB9DB6

__tzset_nolock.LIBCMT ref: 00BC3E66

Part of subcall function 00BC40BA: __lock.LIBCMT ref: 00BC40DF
Part of subcall function 00BC40BA: ____lc_codepage_func.LIBCMT ref: 00BC4126
Part of subcall function 00BC40BA: __getenv_helper_nolock.LIBCMT ref: 00BC4147
Part of subcall function 00BC40BA: _free.LIBCMT ref: 00BC417A
Part of subcall function 00BC40BA: _strlen.LIBCMT ref: 00BC4181
Part of subcall function 00BC40BA: __malloc_crt.LIBCMT ref: 00BC4188

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __lock$CriticalEnterSection____lc_codepage_func__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
String ID:
API String ID: 360932542-0
Opcode ID: 5cd0ce54799e18b09c4992bccf5cc2091911c9cf8e08c6a9f1ba84043b7abdc2
Instruction ID: 85cb62d481c41b12caff95350ad5b06d6a842bf9d0df05bf31794e4c9ebca43d
Opcode Fuzzy Hash: 5cd0ce54799e18b09c4992bccf5cc2091911c9cf8e08c6a9f1ba84043b7abdc2
Instruction Fuzzy Hash: DBE0EC39580345DAFA10BBF09807B6E71E4AB11B27F5091DEE541241D28BF94785EF22

Function 00B9F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2822809514d9f10c72aae7f24890e2df6369707223215b2ff69d783a5f043139
Instruction ID: e9650779c9e630c12fb2893a47dfc05d7eed6e0c7c92a0525332ec967f0328f3
Opcode Fuzzy Hash: 2822809514d9f10c72aae7f24890e2df6369707223215b2ff69d783a5f043139
Instruction Fuzzy Hash: BA617970A0020A9FCF20EF54C881ABAB7E5EB45320F1584BAE916DB391E770ED55CB50

Function 00BA2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e08a5610cb783ec2bb5b29ac27ed4904d798cd0d42128b8088d9f89c13bd0e
Instruction ID: 62c6a8357ffc8063a930d8b390e9424140cacd838352b3576a046d517be7f805
Opcode Fuzzy Hash: 94e08a5610cb783ec2bb5b29ac27ed4904d798cd0d42128b8088d9f89c13bd0e
Instruction Fuzzy Hash: A4518034604604AFCF15EB68C991EBEB7E5AF85310F1480E9F946AB392DB34ED01DB50

Function 00BFBEEC Relevance: 1.6, APIs: 1, Instructions: 140fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,?,?,?,00000001), ref: 00BFBFF4

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 873db7505cfcce9019a76903e65392b8d0781e6ab50aef8b7fad72cb89326f69
Instruction ID: 40f8228c27981d9bf06318fac321fc0cac9e5ca01ea664a9d64d9a4ca81f4e7e
Opcode Fuzzy Hash: 873db7505cfcce9019a76903e65392b8d0781e6ab50aef8b7fad72cb89326f69
Instruction Fuzzy Hash: 9D515331214208AFC714EF68C995FAAB7E8FF49304F1445ADF5958B2A2DB31F909CB45

Function 00BA02F9 Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BA047A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7cce6d332935b9b450def5646795f5090848f2868c507e3c2d2772ae442055ba
Instruction ID: a3c38f9c815c39b8c27315a2614b3f83fcf5bc70ecd0a7757c5844e43a8f74ff
Opcode Fuzzy Hash: 7cce6d332935b9b450def5646795f5090848f2868c507e3c2d2772ae442055ba
Instruction Fuzzy Hash: 025158706183018FD720DF14C880B6AB7E1FF86304F5489ADE89A8B361E779EC45CB96

Function 00BA0338 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BA047A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0679df011fcd64ed149f95da870f18be1b779785d966b452234e47a5648516ae
Instruction ID: 99265d248e41fdcbed7b23847b2342a431b3cc496c6dd37ac896c33f5888560d
Opcode Fuzzy Hash: 0679df011fcd64ed149f95da870f18be1b779785d966b452234e47a5648516ae
Instruction Fuzzy Hash: 9C4178705087019FD720EF14C881B6AB7E1FF86300F5489ADE89A8B361E779EC45CB96

Function 00BD4053 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00BD405F

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 196c5e318b850634c516779f1db73c9ec3a85795475ea90fd207495644b51e7e
Instruction ID: 0266c89ef753071603dd11950e59a3ced1d707e9d33dc098c0c1f3fe912c5b05
Opcode Fuzzy Hash: 196c5e318b850634c516779f1db73c9ec3a85795475ea90fd207495644b51e7e
Instruction Fuzzy Hash: F7410974A006159FCB14CF98C584AADB7F1FF48314F2980AAE519AB351D7B5ED81CB80

Function 00B99E9C Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afde83f69a9c326a80204c16d85c8acce2182cfada14d4f3c4369dcbbdb5ec42
Instruction ID: 11a032d5f936a882c24f462023f1cc1b40e7794f5073f219adaad4e3bb65a5ce
Opcode Fuzzy Hash: afde83f69a9c326a80204c16d85c8acce2182cfada14d4f3c4369dcbbdb5ec42
Instruction Fuzzy Hash: 0A318D31100A019FDEB9EF1DC484A3AB7E6EF41B91B2448FEE49A86521CB32AC44DB51

Function 00B95C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00B95CF6

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 01d8501760b87498c1dcf6dda614d79948adb7af17e5de1664b35ea82e4bda3d
Instruction ID: 904fd711f9793af8b20a20c241962b4df4d3cd8e6dbeb0eb8bd097b0f656387e
Opcode Fuzzy Hash: 01d8501760b87498c1dcf6dda614d79948adb7af17e5de1664b35ea82e4bda3d
Instruction Fuzzy Hash: 93315971A00B09ABCF29CF69C484AADB7F5FF48310F258669E81993710D771B9A0DB90

Function 00BD0005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00BD0010

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3bc5656da5a97f076fd1f4389b32fd867742de086372cad5766c1d1ab2484d70
Instruction ID: 817324f3b359323e8588b75329374204d5819aaf237f033e74980c557d10a285
Opcode Fuzzy Hash: 3bc5656da5a97f076fd1f4389b32fd867742de086372cad5766c1d1ab2484d70
Instruction Fuzzy Hash: A54137745183518FDB24DF14C484B2ABBE1FF85318F1988ACE8898B762D772EC45CB92

Function 00B980D7 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B98109

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ba9ee535e5d8e80dc3efefa8b1a02331d0d713b85fbaa5afeee217959d05c8f1
Instruction ID: bd2bcca64e6be5999fb04c70492ae22279a9d7a3a2ee8841727afbf909d3bb93
Opcode Fuzzy Hash: ba9ee535e5d8e80dc3efefa8b1a02331d0d713b85fbaa5afeee217959d05c8f1
Instruction Fuzzy Hash: 51111C75204605DFCB24DF28D481966B7E9FF49354B20C87EE58ADB661DB32E842CB50

Function 00B94F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B94D13: FreeLibrary.KERNEL32(00000000,?), ref: 00B94D4D

Part of subcall function 00BB53CB: __wfsopen.LIBCMT ref: 00BB53D6

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B94F6F

Part of subcall function 00B94CC8: FreeLibrary.KERNEL32(00000000), ref: 00B94D02

Part of subcall function 00B94DD0: _memmove.LIBCMT ref: 00B94E1A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: bcd80cfa08b19d0a91564f229d49abb458ab6d97507faaed0db5f6e55d63ae02
Instruction ID: cbfaa39ff2e5d23e27b61b0b8a3db4734038b8114058c3656bc155a9d27230f5
Opcode Fuzzy Hash: bcd80cfa08b19d0a91564f229d49abb458ab6d97507faaed0db5f6e55d63ae02
Instruction Fuzzy Hash: A911E73164060AABCF25AF70CC52FAE77E5DF44701F1089BDF541A7181EBB59A069760

Function 00BD00DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00BD00EA

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: aa68553d082063ade73eb3fd75edca8f1ae75b962f67744aee1ab546c8220608
Instruction ID: e864cc32ee64e3b004079b96040f4f6103e3f2c9b1ef240e32f4c3c28ad0090e
Opcode Fuzzy Hash: aa68553d082063ade73eb3fd75edca8f1ae75b962f67744aee1ab546c8220608
Instruction Fuzzy Hash: 682110B0918741CFCB24EF14C884B6BBBE1BF89314F1589ACE89A57721D731E805DB92

Function 00C11731 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C117A3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 950b0fb5b635b12f03cbc5fbbb746f2f12e14b4ccb6a30ab360fdf271b594b50
Instruction ID: b9a922067a551b4205b82fb3859d427b4089b4f9772e5abd26f0bcd4428ac3e0
Opcode Fuzzy Hash: 950b0fb5b635b12f03cbc5fbbb746f2f12e14b4ccb6a30ab360fdf271b594b50
Instruction Fuzzy Hash: 4301DB367001145B8710FF68C9858AAF3E5EF8536070942B8ED189B391DE71BD44C7D0

Function 00B95D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00B95807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00B95D76

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a300920395fc9c1cd80ee8e7738e1ff97d0d0e4d5ed05cfe5ba839acd69b5ebf
Instruction ID: 11bcc560a183b0870acc995417f7f4897b46736755db87af660f93c72eec3f3e
Opcode Fuzzy Hash: a300920395fc9c1cd80ee8e7738e1ff97d0d0e4d5ed05cfe5ba839acd69b5ebf
Instruction Fuzzy Hash: 6A113631240B05AFDB328F15D888F66B7E9FF45760F10C97EE4AA86A50D7B0E945CB60

Function 00BD43D3 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00BD43DF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f91b1fe2b14c9199d7720c77a38fe620176df1da44c0688356809d93255acd2a
Instruction ID: 463da4c95ca8492272aa9f1b6c911d1ec0575ccfc7b3c0f0867103cc77fefdc5
Opcode Fuzzy Hash: f91b1fe2b14c9199d7720c77a38fe620176df1da44c0688356809d93255acd2a
Instruction Fuzzy Hash: 23012D35A006198BCF20DF98C484BBEB3F5EB55360B5580BAE95AEB710D731ED41CB80

Function 00BFB697 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ceaee0682654b58c7e0fe58519da836810ad7b04356780de1c8aaa97ce9df0c
Instruction ID: 5ae12b76c2bee66a58d1f9c0eb350428acc9650bb4db2d29bfe05841cd83b275
Opcode Fuzzy Hash: 9ceaee0682654b58c7e0fe58519da836810ad7b04356780de1c8aaa97ce9df0c
Instruction Fuzzy Hash: EC115B35204209AFDB20DF58C894FAAB7E9EF05320F0584A9FA198B261CB70EC04CB90

Function 00BEFA6E Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BEFAA9

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8b04bfe8a3894fd064e63d7bea99229640f34587b8fc76b9b4c2b88b74945d58
Instruction ID: 2563e3b12adb7834857e252f9eeabf968f1397fc1e448706139b553708694bf3
Opcode Fuzzy Hash: 8b04bfe8a3894fd064e63d7bea99229640f34587b8fc76b9b4c2b88b74945d58
Instruction Fuzzy Hash: DC01D132201226ABCB24DF2DD8819BBB7E9EFC5364714847EF80ACF205E631E901C790

Function 00B97F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B97F82

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4f214ae791914b6fb40738de1e3a7a09bea0b650c63edbb46032457c95d1bc73
Instruction ID: 6d11edb43e20c77f9997694ebd51dfaa0dd49f7d75487e6386a2698462274115
Opcode Fuzzy Hash: 4f214ae791914b6fb40738de1e3a7a09bea0b650c63edbb46032457c95d1bc73
Instruction Fuzzy Hash: A901D6722647056ED7249B28CC02FB7BBE4DB44760F10857AF51ACA191EA71E4008B50

Function 00BF776D Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00BB0F36: std::exception::exception.LIBCMT ref: 00BB0F6C
Part of subcall function 00BB0F36: __CxxThrowException@8.LIBCMT ref: 00BB0F81

_memset.LIBCMT ref: 00BF77A2

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Exception@8Throw_memsetstd::exception::exception
String ID:
API String ID: 525207782-0
Opcode ID: ed07f6ba71ebfa362c12fda3897df1de754938e0f34d9147bd035948e11a2e22
Instruction ID: 4412889e7b2cac6016e6bafd8da7a706386b424bdd8f7f96a589b00bed2d98fc
Opcode Fuzzy Hash: ed07f6ba71ebfa362c12fda3897df1de754938e0f34d9147bd035948e11a2e22
Instruction Fuzzy Hash: 2101FB742142019FD321EF5CD541BA6BBE1EF59310F24C4A9F5888B352DBB2E801CB94

Function 00BCFA5E Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00BB0F36: std::exception::exception.LIBCMT ref: 00BB0F6C
Part of subcall function 00BB0F36: __CxxThrowException@8.LIBCMT ref: 00BB0F81

_memmove.LIBCMT ref: 00BCFA8F

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Exception@8Throw_memmovestd::exception::exception
String ID:
API String ID: 1602317333-0
Opcode ID: 88a421868a09ddcd2f04f0a2e177da3dc0f869235afdc1f861af5ae78a72f008
Instruction ID: 85d5db0f83936f4bc3206abbe18b43e87dc96c0378a367f91751c57a798ad73a
Opcode Fuzzy Hash: 88a421868a09ddcd2f04f0a2e177da3dc0f869235afdc1f861af5ae78a72f008
Instruction Fuzzy Hash: 95F0FF74611102DFD720EF58C581A71BBE1FF59304F2484ECE1898B352E772E811CB91

Function 00C0C13B Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

_wcsftime.LIBCMT ref: 00C0C16D

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcsftime
String ID:
API String ID: 2185096739-0
Opcode ID: b80eb2f3534af4c0a7e0b4f83355b34026260e40d4629142369d78081cd9543f
Instruction ID: 5551c9265d9f071af795e48505c5e8f3c76e2f36f2c68072013263e999fc0c5c
Opcode Fuzzy Hash: b80eb2f3534af4c0a7e0b4f83355b34026260e40d4629142369d78081cd9543f
Instruction Fuzzy Hash: 16F0127190420CBBDF11EBA4CD81BED73ECAF18310F1041E6F958A6191E631EB68CBA1

Function 00BD44D8 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00BD44E3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5cc420468c9e324b4ef5613fda60c74bc36e026d64d977bd50da4645fe599275
Instruction ID: 4e2a25e19abf48b78dc101ac89d4d187f6c7d8323dca68c6cec8bc2c8a733579
Opcode Fuzzy Hash: 5cc420468c9e324b4ef5613fda60c74bc36e026d64d977bd50da4645fe599275
Instruction Fuzzy Hash: 24F06575A001548BDF20DF98E885BAEB3F4EF51320F1044B9E85AEB200D7719850DB91

Function 00B94FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00C552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B94FDE

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 82a0328971ba15466cf7900116e0a904b7d6a7a0121f6e60a32529bc7fb9010e
Instruction ID: a5881ddc37880529cc04b505c62d84366290f626ba277bc0a4502aead41a9f95
Opcode Fuzzy Hash: 82a0328971ba15466cf7900116e0a904b7d6a7a0121f6e60a32529bc7fb9010e
Instruction Fuzzy Hash: B9F03971105712CFCB349F74E494E66BBE1FF1432A3208ABEE5DA82610C771A841DF50

Function 00BD24B6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00BD24C1

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: b8af45d687ff40c04f47dc78052617bad97f11c2779a4526fd151e919777e43b
Instruction ID: b2e57db5ffcd0794e3ad8c8cc77e3c3cccf80c7786335c5da1163524aaa04d53
Opcode Fuzzy Hash: b8af45d687ff40c04f47dc78052617bad97f11c2779a4526fd151e919777e43b
Instruction Fuzzy Hash: 05E0E570A041869BEF309B789404B72FBD4EB20320F1044FBD49681240F7A19894A751

Function 00BB0911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BB0930

Part of subcall function 00B97D2C: _memmove.LIBCMT ref: 00B97D66

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 067868c0b7e63194b64e13eadbeb8f1c5e9c82386fdbcaceff4c678da153c371
Instruction ID: 8319149d2cec3f0b98783b4c2c19e32cd6ef42e749630e54cb7c5a5d9d7b7a8d
Opcode Fuzzy Hash: 067868c0b7e63194b64e13eadbeb8f1c5e9c82386fdbcaceff4c678da153c371
Instruction Fuzzy Hash: BBE0867694522867C720D6589C05FEA77EDDF89690F0441F5FC4CD7215D9619C818690

Function 00BF4804 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00BF481D

Part of subcall function 00B97D2C: _memmove.LIBCMT ref: 00B97D66

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FolderPath_memmove
String ID:
API String ID: 3334745507-0
Opcode ID: fbbf900889c293f32823da54793147557923aefd0d0a1cb6e1f139cacb80c4e8
Instruction ID: 16adffe5ab4553bed549e203338cc7411d0b3cd6d8c71435d26e9f8edf262471
Opcode Fuzzy Hash: fbbf900889c293f32823da54793147557923aefd0d0a1cb6e1f139cacb80c4e8
Instruction Fuzzy Hash: 30D017A291022C2BDB60E6689C0DEBB7AACDB44220F0006B5785CC3112E9249D4586E0

Function 00BF349E Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF339D: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,?,?,00BF34AA,?,?,?,00BCDF90,00C455C0,00000002,?,?), ref: 00BF341B

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00BCDF90,00C455C0,00000002,?,?,?,?), ref: 00BF34B8

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 66fe6fb2a5efe6ced2cd8c78e82953ffde395f1f7e73b4eaafffe095d8e8aad9
Instruction ID: 5d7d463818ffb9e82d8c74519bfab126f2e0fc3ea35519af5902522356a70596
Opcode Fuzzy Hash: 66fe6fb2a5efe6ced2cd8c78e82953ffde395f1f7e73b4eaafffe095d8e8aad9
Instruction Fuzzy Hash: 9BE04636400208FBDB20EF94D805FDAB7FDEB04320F10465AFA4082111DBB2AE249BA0

Function 00B95DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00BCE09B,?,?,00000000), ref: 00B95DBF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 640576533455317d4b55c57bf6c96d8c42721511841757da6620ecb9379cd2fb
Instruction ID: ef43f09804d1fa5a94b32c15b044555781fe5ad296d3f675da3f80ff8dd94a9b
Opcode Fuzzy Hash: 640576533455317d4b55c57bf6c96d8c42721511841757da6620ecb9379cd2fb
Instruction Fuzzy Hash: C7D0C77464020CBFEB10DB80DC46FAD777CE705710F200194FD0456290D6B27D508795

Function 00BF4AD8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00BF374F), ref: 00BF4AD9

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: cdf9e9c6e4ad6517b35dace1b4d16997040a35a50d74069ce705cbb9fb6da41b
Instruction ID: 62a0df5e3e9c60425ed564f4a467ccd4c7f632ee6d950eda97b798c56ef55bf0
Opcode Fuzzy Hash: cdf9e9c6e4ad6517b35dace1b4d16997040a35a50d74069ce705cbb9fb6da41b
Instruction Fuzzy Hash: 73B0923C040E0405AD288A391A4C2AB2380A8433A5BD89BC4E57A870E1C339880FE614

Function 00BB53CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00BB53D6

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: dfaaef579c1c5dbf10dfd522a9e701578e42bd234b865310b35e41ce79d17527
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 6CB0927644020C77CE122A82EC02B993B999B407A4F408060FB0C182A2A6B3A6A0969A

Function 00BFD107 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00BFD28B

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 54c54c5542f776cb4a2d5e0efdd7c352ae0b3650fb56648c8b4aa58c1c8801b0
Instruction ID: 61f008c4daf9c188c51c61361d42db1f8e41c8c616a687c99a31066ab22c916e
Opcode Fuzzy Hash: 54c54c5542f776cb4a2d5e0efdd7c352ae0b3650fb56648c8b4aa58c1c8801b0
Instruction Fuzzy Hash: ED7132302083058FCB14EF68C591A6EB7E1EF89714F0449ADF5969B2A2DB30ED09CB56

Function 00BFBCB9 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00BF3B56: FindFirstFileW.KERNELBASE(?,?), ref: 00BF3BCD
Part of subcall function 00BF3B56: DeleteFileW.KERNELBASE(?,?,?,?), ref: 00BF3C1D
Part of subcall function 00BF3B56: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00BF3C2E
Part of subcall function 00BF3B56: FindClose.KERNEL32(00000000), ref: 00BF3C45

GetLastError.KERNEL32 ref: 00BFBCDB

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 8c65e32373dcff91a7295df98d54e99e30474d812c4d3f420d44b7a037640139
Instruction ID: 0283f04023f86e28e744c223ad4c17f5fc6119cf822a9016c17d7392aa54d421
Opcode Fuzzy Hash: 8c65e32373dcff91a7295df98d54e99e30474d812c4d3f420d44b7a037640139
Instruction Fuzzy Hash: F3F05E322001148FCB10AB58D450F6DB7E5AF84720F0480ADF94987352CB74B8018B94

Function 00B95DCF Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00B95921,?,00B96C37), ref: 00B95DEF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 35e9823f13b57a251221a79bc1c932c0beab8866d87b45c628b7be0eca4fe0b3
Instruction ID: 8a129b5f22f0226c02d14baa5477c9b732108795e71203cd41523a9263e1e678
Opcode Fuzzy Hash: 35e9823f13b57a251221a79bc1c932c0beab8866d87b45c628b7be0eca4fe0b3
Instruction Fuzzy Hash: 09E09A75440A01CEC7324F1AE804455FBE4FED13613204A7ED4E682560D3B1548A8B50

Non-executed Functions

Function 00C1CB26 Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00B92612: GetWindowLongW.USER32(?,000000EB), ref: 00B92623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C1CBA1
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C1CBFF
GetWindowLongW.USER32(?,000000F0), ref: 00C1CC40
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C1CC6A
SendMessageW.USER32 ref: 00C1CC93
_wcsncpy.LIBCMT ref: 00C1CCFF
GetKeyState.USER32(00000011), ref: 00C1CD20
GetKeyState.USER32(00000009), ref: 00C1CD2D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C1CD43
GetKeyState.USER32(00000010), ref: 00C1CD4D
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C1CD76
SendMessageW.USER32 ref: 00C1CD9D
SendMessageW.USER32(?,00001030,?,00C1B37C), ref: 00C1CEA1
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C1CEB7
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C1CECA
SetCapture.USER32(?), ref: 00C1CED3
ClientToScreen.USER32(?,?), ref: 00C1CF38
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C1CF45
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C1CF5F
ReleaseCapture.USER32 ref: 00C1CF6A
GetCursorPos.USER32(?), ref: 00C1CFA4
ScreenToClient.USER32(?,?), ref: 00C1CFB1
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C1D00D
SendMessageW.USER32 ref: 00C1D03B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C1D078
SendMessageW.USER32 ref: 00C1D0A7
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C1D0C8
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C1D0D7
GetCursorPos.USER32(?), ref: 00C1D0F7
ScreenToClient.USER32(?,?), ref: 00C1D104
GetParent.USER32(?), ref: 00C1D124
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C1D18D
SendMessageW.USER32 ref: 00C1D1BE
ClientToScreen.USER32(?,?), ref: 00C1D21C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C1D24C
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C1D276
SendMessageW.USER32 ref: 00C1D299
ClientToScreen.USER32(?,?), ref: 00C1D2EB
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C1D31F

Part of subcall function 00B925DB: GetWindowLongW.USER32(?,000000EB), ref: 00B925EC

GetWindowLongW.USER32(?,000000F0), ref: 00C1D3BB

Strings

@GUI_DRAGID, xrefs: 00C1CF06
F, xrefs: 00C1D29F
@U=u, xrefs: 00C1CBFF, 00C1CC6A, 00C1CC93, 00C1CD43, 00C1CD76, 00C1CD9D, 00C1CEA1, 00C1D00D, 00C1D03B, 00C1D078, 00C1D0A7, 00C1D18D, 00C1D1BE, 00C1D276, 00C1D299

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$@U=u$F
API String ID: 3977979337-1007936534
Opcode ID: 70c816efb55b4f5cbb338d98a87c9f8b1a72208a5e4b6ecc550b483fbbf0beaf
Instruction ID: 288754c1447d9156c01507d1a896cec962b4e5fb715d7f273fbd1b37aec11f79
Opcode Fuzzy Hash: 70c816efb55b4f5cbb338d98a87c9f8b1a72208a5e4b6ecc550b483fbbf0beaf
Instruction Fuzzy Hash: 95429C74248301EFDB20CF24C884BAABBE5BF4A310F144A6DF565D72A1C731D995EB92

Function 00BA70FE Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BA7323
_memset.LIBCMT ref: 00BA7699
_memmove.LIBCMT ref: 00BA780C

Strings

DEFINE, xrefs: 00BE2459
Q\E, xrefs: 00BA812B
[:<:]], xrefs: 00BA75D9
[:>:]], xrefs: 00BA75F2
\b(?<=\w), xrefs: 00BE3AC9
\b(?=\w), xrefs: 00BE3ABF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: c7270604578e91e071369da84bf5b3fdd542b0fe012f217436510c234e668302
Instruction ID: 139f982fbcb9a156f4a5f67627fe76fc2c81890370dd8a555007091e9c91bbdf
Opcode Fuzzy Hash: c7270604578e91e071369da84bf5b3fdd542b0fe012f217436510c234e668302
Instruction Fuzzy Hash: 7693B175A44259DFDB24CF99C881BADB7F1FF48710F2481AAE945AB381E7709E81CB40

Function 00B94A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00B94A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BCD9BE
IsIconic.USER32(?), ref: 00BCD9C7
ShowWindow.USER32(?,00000009), ref: 00BCD9D4
SetForegroundWindow.USER32(?), ref: 00BCD9DE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BCD9F4
GetCurrentThreadId.KERNEL32 ref: 00BCD9FB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BCDA07
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BCDA18
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BCDA20
AttachThreadInput.USER32(00000000,?,00000001), ref: 00BCDA28
SetForegroundWindow.USER32(?), ref: 00BCDA2B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BCDA40
keybd_event.USER32(00000012,00000000), ref: 00BCDA4B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BCDA55
keybd_event.USER32(00000012,00000000), ref: 00BCDA5A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BCDA63
keybd_event.USER32(00000012,00000000), ref: 00BCDA68
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BCDA72
keybd_event.USER32(00000012,00000000), ref: 00BCDA77
SetForegroundWindow.USER32(?), ref: 00BCDA7A
AttachThreadInput.USER32(?,?,00000000), ref: 00BCDAA1

Strings

Shell_TrayWnd, xrefs: 00BCD9B9

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d07b71018d550a75e64a00cee43e3cbc55da1527d3e10758880d2909daad4b37
Instruction ID: 9f1c6cc0da0a48fff14d1e729df4c5c6876a215aeda5f5411c3f544f6dbc6a57
Opcode Fuzzy Hash: d07b71018d550a75e64a00cee43e3cbc55da1527d3e10758880d2909daad4b37
Instruction Fuzzy Hash: 01315375A40318BAEB205F619C49FBE7E6DFB45B50F108079FA04EA1D1C6B05D12AAA0

Function 00BE8638 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00BE8AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BE8AED
Part of subcall function 00BE8AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BE8B1A
Part of subcall function 00BE8AA3: GetLastError.KERNEL32 ref: 00BE8B27

_memset.LIBCMT ref: 00BE867B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00BE86CD
CloseHandle.KERNEL32(?), ref: 00BE86DE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00BE86F5
GetProcessWindowStation.USER32 ref: 00BE870E
SetProcessWindowStation.USER32(00000000), ref: 00BE8718
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00BE8732

Part of subcall function 00BE84F3: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BE8631), ref: 00BE8508
Part of subcall function 00BE84F3: CloseHandle.KERNEL32(?,?,00BE8631), ref: 00BE851A

Strings

, xrefs: 00BE868A
winsta0, xrefs: 00BE86F0
default, xrefs: 00BE872D

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 773099022b0ba3eb6ecbf47a491264a51c85dae2ec25913c25589bae038eef98
Instruction ID: 0b62a4f2afbf5159ebb309efb89a6b3ebf470720b702b98fa6ffff68fdee3708
Opcode Fuzzy Hash: 773099022b0ba3eb6ecbf47a491264a51c85dae2ec25913c25589bae038eef98
Instruction Fuzzy Hash: 78814971900689AFDF119FA6CC45AEE7BB8FF05304F1481A9FD18B62A1DB318E15DB60

Function 00C0407C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00C1F910), ref: 00C040A6
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C040B4
GetClipboardData.USER32(0000000D), ref: 00C040BC
CloseClipboard.USER32 ref: 00C040C8
GlobalLock.KERNEL32(00000000), ref: 00C040E4
CloseClipboard.USER32 ref: 00C040EE
GlobalUnlock.KERNEL32(00000000), ref: 00C04103
IsClipboardFormatAvailable.USER32(00000001), ref: 00C04110
GetClipboardData.USER32(00000001), ref: 00C04118
GlobalLock.KERNEL32(00000000), ref: 00C04125
GlobalUnlock.KERNEL32(00000000), ref: 00C04159
CloseClipboard.USER32 ref: 00C04269

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: a924ba7802a3a72e6b22c9f03eba26240930b6127d32dd25faadbba319b685be
Instruction ID: 286a481ecf8b7c0d2839d1116495e7fb668b5bf10e4d8d8ecf5e0fd4d0501fdd
Opcode Fuzzy Hash: a924ba7802a3a72e6b22c9f03eba26240930b6127d32dd25faadbba319b685be
Instruction Fuzzy Hash: 07519D75204201ABD715EF64DC85FAF77A8BB95B00F00852DF656D21E2DF70D906CB62

Function 00BFC7E8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BFC819
FindClose.KERNEL32(00000000), ref: 00BFC86D
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BFC892
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BFC8A9
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BFC8D0
__swprintf.LIBCMT ref: 00BFC91C
__swprintf.LIBCMT ref: 00BFC95F

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

__swprintf.LIBCMT ref: 00BFC9B3

Part of subcall function 00BB3818: __woutput_l.LIBCMT ref: 00BB3871

__swprintf.LIBCMT ref: 00BFCA01

Part of subcall function 00BB3818: __flsbuf.LIBCMT ref: 00BB3893
Part of subcall function 00BB3818: __flsbuf.LIBCMT ref: 00BB38AB

__swprintf.LIBCMT ref: 00BFCA50
__swprintf.LIBCMT ref: 00BFCA9F
__swprintf.LIBCMT ref: 00BFCAEE

Strings

%4d, xrefs: 00BFC959
%02d, xrefs: 00BFC9A7, 00BFC9B1, 00BFC9FF, 00BFCA4E, 00BFCA9D, 00BFCAEC
%4d%02d%02d%02d%02d%02d, xrefs: 00BFC916

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 73cc2de81d8478203d2ee7fdc0979b0d27b9bfa346ec8db11f51a0d2fe989abd
Instruction ID: a6dfed188e67666004f754abd4911c026595a60a566d587cc03ba27c7a2d33ed
Opcode Fuzzy Hash: 73cc2de81d8478203d2ee7fdc0979b0d27b9bfa346ec8db11f51a0d2fe989abd
Instruction Fuzzy Hash: 18A13FB1418304ABCB50EB54CD86EBFB7ECFF94700F40496DB59683191EA74DA48CB62

Function 00BFF021 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00BFF042
_wcscmp.LIBCMT ref: 00BFF057
_wcscmp.LIBCMT ref: 00BFF06E
GetFileAttributesW.KERNEL32(?), ref: 00BFF080
SetFileAttributesW.KERNEL32(?,?), ref: 00BFF09A
FindNextFileW.KERNEL32(00000000,?), ref: 00BFF0B2
FindClose.KERNEL32(00000000), ref: 00BFF0BD
FindFirstFileW.KERNEL32(*.*,?), ref: 00BFF0D9
_wcscmp.LIBCMT ref: 00BFF100
_wcscmp.LIBCMT ref: 00BFF117
SetCurrentDirectoryW.KERNEL32(?), ref: 00BFF129
SetCurrentDirectoryW.KERNEL32(00C48920), ref: 00BFF147
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BFF151
FindClose.KERNEL32(00000000), ref: 00BFF15E
FindClose.KERNEL32(00000000), ref: 00BFF170

Strings

*.*, xrefs: 00BFF0D4

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 542b3fed127bf3c6ee2c278daf1879b149064080d4f583aca73ee62b3b8e04bd
Instruction ID: 707c4a54b0fbc68ea69219a967fcc17dfee987172de351fff3a6bd62c5b7d3d8
Opcode Fuzzy Hash: 542b3fed127bf3c6ee2c278daf1879b149064080d4f583aca73ee62b3b8e04bd
Instruction Fuzzy Hash: F931A23250461EAADB10DFB4DC49BFE77ECEF06360F1441B5EA05E31A1EB70DA4A8A54

Function 00C108E2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C109DE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00C1F910,00000000,?,00000000,?,?), ref: 00C10A4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00C10A94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00C10B1D
RegCloseKey.ADVAPI32(?), ref: 00C10E3D
RegCloseKey.ADVAPI32(00000000), ref: 00C10E4A

Strings

REG_SZ, xrefs: 00C10B5B
REG_EXPAND_SZ, xrefs: 00C10ABA
REG_QWORD, xrefs: 00C10D8B
REG_BINARY, xrefs: 00C10DD8
REG_DWORD, xrefs: 00C10D0E
REG_MULTI_SZ, xrefs: 00C10C05

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: a78e100aa0caa6a1a806f9773b68d5e97bab72502f97c5a14a03850142ebc3e5
Instruction ID: c26eb6a4a10bddab0d139e3fdbe094b84a6210b0e12cbf5afad39411b17ffe90
Opcode Fuzzy Hash: a78e100aa0caa6a1a806f9773b68d5e97bab72502f97c5a14a03850142ebc3e5
Instruction Fuzzy Hash: D50281752046019FCB14EF29C851E6AB7E5FF89710F1488ACF89A9B362CB70ED41CB81

Function 00BFF17E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00BFF19F
_wcscmp.LIBCMT ref: 00BFF1B4
_wcscmp.LIBCMT ref: 00BFF1CB

Part of subcall function 00BF43C6: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00BF43E1

FindNextFileW.KERNEL32(00000000,?), ref: 00BFF1FA
FindClose.KERNEL32(00000000), ref: 00BFF205
FindFirstFileW.KERNEL32(*.*,?), ref: 00BFF221
_wcscmp.LIBCMT ref: 00BFF248
_wcscmp.LIBCMT ref: 00BFF25F
SetCurrentDirectoryW.KERNEL32(?), ref: 00BFF271
SetCurrentDirectoryW.KERNEL32(00C48920), ref: 00BFF28F
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BFF299
FindClose.KERNEL32(00000000), ref: 00BFF2A6
FindClose.KERNEL32(00000000), ref: 00BFF2B8

Strings

*.*, xrefs: 00BFF21C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 0cd6069298a5c32a5cdad4d5d9e2333daa193aac3eb66dce88c18c87105438b9
Instruction ID: 459fbf3c3d8469c5f1680e628e603cf5a3a620e9de28aa90b30cdc47f4a709ab
Opcode Fuzzy Hash: 0cd6069298a5c32a5cdad4d5d9e2333daa193aac3eb66dce88c18c87105438b9
Instruction Fuzzy Hash: D231D33650461E6ACB10ABA4DC48BFE73ECEF06320F1441B5FA04A31A1DBB0DE4ACA54

Function 00BFA279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BFA299
__swprintf.LIBCMT ref: 00BFA2BB
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BFA2F8
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00BFA31D
_memset.LIBCMT ref: 00BFA33C
_wcsncpy.LIBCMT ref: 00BFA378
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00BFA3AD
CloseHandle.KERNEL32(00000000), ref: 00BFA3B8
RemoveDirectoryW.KERNEL32(?), ref: 00BFA3C1
CloseHandle.KERNEL32(00000000), ref: 00BFA3CB

Strings

\, xrefs: 00BFA2D1
\??\%s, xrefs: 00BFA2B5
:, xrefs: 00BFA2DC

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: cbe5f989833fab6014a19b73e14cf8e2f7336ac5d3152c9173a44b02785f2471
Instruction ID: 7cb22ebdf519da6f46e222b40c4ddc23909b781cd50f137b9436558d7a502d46
Opcode Fuzzy Hash: cbe5f989833fab6014a19b73e14cf8e2f7336ac5d3152c9173a44b02785f2471
Instruction Fuzzy Hash: 8A319CB1900109ABDB219FA0DC49FFF73BCEF89740F5041BAFA08D2060EB7096498B25

Function 00BE81D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BE8546
Part of subcall function 00BE852A: GetLastError.KERNEL32(?,00BE800A,?,?,?), ref: 00BE8550
Part of subcall function 00BE852A: GetProcessHeap.KERNEL32(00000008,?,?,00BE800A,?,?,?), ref: 00BE855F
Part of subcall function 00BE852A: HeapAlloc.KERNEL32(00000000,?,00BE800A,?,?,?), ref: 00BE8566
Part of subcall function 00BE852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BE857D

Part of subcall function 00BE85C7: GetProcessHeap.KERNEL32(00000008,00BE8020,00000000,00000000,?,00BE8020,?), ref: 00BE85D3
Part of subcall function 00BE85C7: HeapAlloc.KERNEL32(00000000,?,00BE8020,?), ref: 00BE85DA
Part of subcall function 00BE85C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00BE8020,?), ref: 00BE85EB

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BE8238
_memset.LIBCMT ref: 00BE824D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BE826C
GetLengthSid.ADVAPI32(?), ref: 00BE827D
GetAce.ADVAPI32(?,00000000,?), ref: 00BE82BA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BE82D6
GetLengthSid.ADVAPI32(?), ref: 00BE82F3
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00BE8302
HeapAlloc.KERNEL32(00000000), ref: 00BE8309
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BE832A
CopySid.ADVAPI32(00000000), ref: 00BE8331
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BE8362
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BE8388
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BE839C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 0643dc046e0d57e08c33e228ab1d671d4abd838e6fa323ab8f4799be1af2ed5e
Instruction ID: 638182cbeb9d564b6d5a35bff2bbee93d915f3e0eb6b6030db71af856fb61efe
Opcode Fuzzy Hash: 0643dc046e0d57e08c33e228ab1d671d4abd838e6fa323ab8f4799be1af2ed5e
Instruction Fuzzy Hash: 1C615C7190064AEFDF10CFA5DC45AEEBBB9FF05700F0481A9F929A6291DB319A05CB60

Function 00BA6841 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

CRLF), xrefs: 00BE1617
BSR_ANYCRLF), xrefs: 00BE1674
LF), xrefs: 00BE15FA
ANY), xrefs: 00BE1634
LIMIT_RECURSION=, xrefs: 00BE1552
UCP), xrefs: 00BE1463
NO_START_OPT), xrefs: 00BE14A5
BSR_UNICODE), xrefs: 00BE168E
CR), xrefs: 00BE15DD
LIMIT_MATCH=, xrefs: 00BE14C6
UTF16), xrefs: 00BE1425
NO_AUTO_POSSESS), xrefs: 00BE1484
ANYCRLF), xrefs: 00BE1651
UTF), xrefs: 00BE1450

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 1491aef06869a0963e4e1faad6547101bc1dcda48fb602db84c3681401540142
Instruction ID: 72989ff5efe0722ddf77f9ac4c3da0042dcde41f1d1aef83db8629256b0b4eb1
Opcode Fuzzy Hash: 1491aef06869a0963e4e1faad6547101bc1dcda48fb602db84c3681401540142
Instruction Fuzzy Hash: B7727FB5E042599BDF14CF59C8807AEB7F5FF59710F2485AAE845EB280EB309D81CB90

Function 00C10465 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C10EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C0FE38,?,?), ref: 00C10EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C10537

Part of subcall function 00B99997: __itow.LIBCMT ref: 00B999C2
Part of subcall function 00B99997: __swprintf.LIBCMT ref: 00B99A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C105D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C1066E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00C108AD
RegCloseKey.ADVAPI32(00000000), ref: 00C108BA

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: c543902b3f978de40849c6a574977642f893c9bd8fa8166ebe2a3421e42d7a39
Instruction ID: 40f4f4774ce45bb5b0315d55cd2585a7b38960e00d36db44e677e95b165e4885
Opcode Fuzzy Hash: c543902b3f978de40849c6a574977642f893c9bd8fa8166ebe2a3421e42d7a39
Instruction Fuzzy Hash: 86E16F31204200AFCB14DF69C881E6ABBE5FF8A714F14856DF45ADB2A2DB70ED41DB91

Function 00BF003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BF0062
GetAsyncKeyState.USER32(000000A0), ref: 00BF00E3
GetKeyState.USER32(000000A0), ref: 00BF00FE
GetAsyncKeyState.USER32(000000A1), ref: 00BF0118
GetKeyState.USER32(000000A1), ref: 00BF012D
GetAsyncKeyState.USER32(00000011), ref: 00BF0145
GetKeyState.USER32(00000011), ref: 00BF0157
GetAsyncKeyState.USER32(00000012), ref: 00BF016F
GetKeyState.USER32(00000012), ref: 00BF0181
GetAsyncKeyState.USER32(0000005B), ref: 00BF0199
GetKeyState.USER32(0000005B), ref: 00BF01AB

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 08c24bf07b709ca2d35959414a6d2cc30cc6addccb7cc826618a0ddc679d3d9f
Instruction ID: bcc19e3247ba8e8a7d5d4c61b6fd95983c8d1bc1a6af58e6670ebdb0f1fec170
Opcode Fuzzy Hash: 08c24bf07b709ca2d35959414a6d2cc30cc6addccb7cc826618a0ddc679d3d9f
Instruction Fuzzy Hash: 8A4186245147CE69FB31AB6488047F5BEE1EB12340F0880DDE7C5576D3DB949ACC87A2

Function 00C084D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99997: __itow.LIBCMT ref: 00B999C2
Part of subcall function 00B99997: __swprintf.LIBCMT ref: 00B99A0C

CoInitialize.OLE32 ref: 00C08518
CoUninitialize.OLE32 ref: 00C08523
CoCreateInstance.OLE32(?,00000000,00000017,00C22BEC,?), ref: 00C08583
IIDFromString.OLE32(?,?), ref: 00C085F6
VariantInit.OLEAUT32(?), ref: 00C08690
VariantClear.OLEAUT32(?), ref: 00C086F1

Strings

NULL Pointer assignment, xrefs: 00C085C8
Invalid parameter, xrefs: 00C0860F
Failed to create object, xrefs: 00C0858E, 00C08644

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: d294241e138c1ddf02db9aaf5fd0acf8ee0e2f2aa1fad6eae5506fccf06dfc94
Instruction ID: edfce2d1db813c27ad2204bbea990529e23f963d17cd15e294d519038b8a82bc
Opcode Fuzzy Hash: d294241e138c1ddf02db9aaf5fd0acf8ee0e2f2aa1fad6eae5506fccf06dfc94
Instruction Fuzzy Hash: 9061AC70208311AFDB10DF65C849B6EBBE8AF49714F01895DF9959B2D1CB70EE48CB92

Function 00C0427A Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C042A1
EmptyClipboard.USER32 ref: 00C042A7
GlobalAlloc.KERNEL32(00000002,?), ref: 00C042BC
CloseClipboard.USER32 ref: 00C0435B

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: a7f7fb2fcad6ddb7f4bc9cb5e97aa3e73fa481799a686ac6b267af8ca25f9229
Instruction ID: 89721151f3c8381588aa5b16790d537ce468298c5f8f9040f8912aeff1743821
Opcode Fuzzy Hash: a7f7fb2fcad6ddb7f4bc9cb5e97aa3e73fa481799a686ac6b267af8ca25f9229
Instruction Fuzzy Hash: DB21DE352006109FDB14AF65EC19BAE77A8FF05311F14C06AFA4ADB2B1CB70AD01CB54

Function 00BF3833 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B948A1,?,?,00B937C0,?), ref: 00B948CE

Part of subcall function 00BF4AD8: GetFileAttributesW.KERNELBASE(?,00BF374F), ref: 00BF4AD9

FindFirstFileW.KERNEL32(?,?), ref: 00BF38E7
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00BF398F
MoveFileW.KERNEL32(?,?), ref: 00BF39A2
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00BF39BF
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BF39E1
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00BF39FD

Strings

\*.*, xrefs: 00BF3892, 00BF389B, 00BF38B0

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 493fbdee0bb2e2f495b4abf8ec6d730af63f938a52a363a1685b09034ebd3716
Instruction ID: b8998fc041fbd3cfcf5ae156ca689de4bd763ec57d92ad594543b011b33d1487
Opcode Fuzzy Hash: 493fbdee0bb2e2f495b4abf8ec6d730af63f938a52a363a1685b09034ebd3716
Instruction Fuzzy Hash: C651673184510CAACF11EBA0CA929FDB7F8AF15700B6481E9E542771A2EF706F0DCB60

Function 00BFF47F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00BFF4CC
Sleep.KERNEL32(0000000A), ref: 00BFF4FC
_wcscmp.LIBCMT ref: 00BFF510
_wcscmp.LIBCMT ref: 00BFF52B
FindNextFileW.KERNEL32(?,?), ref: 00BFF5C9
FindClose.KERNEL32(00000000), ref: 00BFF5DF

Strings

*.*, xrefs: 00BFF4B1

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 1f85cbe1b9e66c8cbb0c3a6a4e936b367f498077d7198d6c9064f7f505769f4d
Instruction ID: 3591159c6b71fca5fe6695495a1cedeefb93afbe0b11afe2a315dbe09c6cbb16
Opcode Fuzzy Hash: 1f85cbe1b9e66c8cbb0c3a6a4e936b367f498077d7198d6c9064f7f505769f4d
Instruction Fuzzy Hash: 62416D7190421EABCF11DFA4CC85AFE7BF4FF15310F1445AAE915A32A1EB309A49CB50

Function 00BA4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00BA421F
VUUU, xrefs: 00BA44DB
VUUU, xrefs: 00BD7A3B
VUUU, xrefs: 00BA44ED
VUUU, xrefs: 00BA4520

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 304bdafff176f152e761ab8453c61407cab1623151ce16f490b023d70140f378
Instruction ID: 862eb070e885c9f38ccfa6e517fe00197d1c71c757a1623d763d684320a1ac28
Opcode Fuzzy Hash: 304bdafff176f152e761ab8453c61407cab1623151ce16f490b023d70140f378
Instruction Fuzzy Hash: FDA25D70E0825A8BDF24CF58C9907EDB7F1EB95314F2481EAD855A7380EBB49D85CB50

Function 00BA58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BA5A05
_memmove.LIBCMT ref: 00BA5A55
_memmove.LIBCMT ref: 00BA5ABB

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f11fcba2855586526fde0eac91db18b1e628b94c113c83571392b8596c017812
Instruction ID: 5ca0b47263900efdbdfd06347039e78984671560a42365d1c90ce54e2948cab9
Opcode Fuzzy Hash: f11fcba2855586526fde0eac91db18b1e628b94c113c83571392b8596c017812
Instruction Fuzzy Hash: 0A129A70A00609EFDF24DFA5D981AEEB7F5FF48300F1085A9E406A7251EB75AE51CB60

Function 00BF5264 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE8AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BE8AED
Part of subcall function 00BE8AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BE8B1A
Part of subcall function 00BE8AA3: GetLastError.KERNEL32 ref: 00BE8B27

ExitWindowsEx.USER32(?,00000000), ref: 00BF52A0

Strings

@, xrefs: 00BF5293
SeShutdownPrivilege, xrefs: 00BF5270
, xrefs: 00BF528E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: d980efbe9502b01693f4f58576bf713b2a33e43ee6edee73a8dc7ead3fb8cbc9
Instruction ID: 8aa0fffa31d610c82761e619d2ac2deb2300b4864377fce8e3f49c72319965d0
Opcode Fuzzy Hash: d980efbe9502b01693f4f58576bf713b2a33e43ee6edee73a8dc7ead3fb8cbc9
Instruction Fuzzy Hash: BE01F771690A196AEB3866789C8BBBA72D8EB06751F2403A9FF47D30D2DA605C0C8190

Function 00C06399 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00C063F2
WSAGetLastError.WSOCK32(00000000), ref: 00C06401
bind.WSOCK32(00000000,?,00000010), ref: 00C0641D
listen.WSOCK32(00000000,00000005), ref: 00C0642C
WSAGetLastError.WSOCK32(00000000), ref: 00C06446
closesocket.WSOCK32(00000000), ref: 00C0645A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 4259f8c7d2395a25e31246d9dc5dfe0aa4e357be1e083cac786b62cbd8673d27
Instruction ID: fb9c3b82b44d3abff201b680eeb998be684e796509b07d1c95f3b523d1150984
Opcode Fuzzy Hash: 4259f8c7d2395a25e31246d9dc5dfe0aa4e357be1e083cac786b62cbd8673d27
Instruction Fuzzy Hash: 6B21AD34600204AFDB10EFA8C945B6EB7F9EF45720F1481ADF866A72D2CB70AD01CB51

Function 00BA5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00BB0F36: std::exception::exception.LIBCMT ref: 00BB0F6C
Part of subcall function 00BB0F36: __CxxThrowException@8.LIBCMT ref: 00BB0F81

_memmove.LIBCMT ref: 00BE05AE
_memmove.LIBCMT ref: 00BE06C3
_memmove.LIBCMT ref: 00BE076A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 2a6f15809394913c0f424cff9776734befed2b90dc447428b3ed74673575d009
Instruction ID: 5085c109f5f581aed79d31abe49effed936e23b3a5ba40c35b0620618806f603
Opcode Fuzzy Hash: 2a6f15809394913c0f424cff9776734befed2b90dc447428b3ed74673575d009
Instruction Fuzzy Hash: 2402ACB0A10209DFDF14EF65D981ABEBBF5EF45300F1480A9E806EB255EB70DA51CB91

Function 00B91287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00B92612: GetWindowLongW.USER32(?,000000EB), ref: 00B92623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00B919FA
GetSysColor.USER32(0000000F), ref: 00B91A4E
SetBkColor.GDI32(?,00000000), ref: 00B91A61

Part of subcall function 00B91290: DefDlgProcW.USER32(?,00000020,?), ref: 00B912D8

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 557627e500f5b9767e7d52de5b187b145454d32967ce01b3c3188fe577a2f815
Instruction ID: 3fe2b58008dcaf9ab471cd88f21b61fd26166d44486651f9030d9117fa775377
Opcode Fuzzy Hash: 557627e500f5b9767e7d52de5b187b145454d32967ce01b3c3188fe577a2f815
Instruction Fuzzy Hash: AFA15871102546BAEF28AB2C8CD5FBF35DDDB43382F1409BDF412D6192CA209D42B276

Function 00C0685D Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C07EA0: inet_addr.WSOCK32(00000000), ref: 00C07ECB

socket.WSOCK32(00000002,00000002,00000011), ref: 00C068B4
WSAGetLastError.WSOCK32(00000000), ref: 00C068DD
bind.WSOCK32(00000000,?,00000010), ref: 00C06916
WSAGetLastError.WSOCK32(00000000), ref: 00C06923
closesocket.WSOCK32(00000000), ref: 00C06937

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 52b89035ebadb671f7503190c8b6089a5e780025a8bf943276ac3f7228f2221f
Instruction ID: fdb49e951fce21da4cae1cb835d2bc18b2737440d4522e03d814e04b4b664b37
Opcode Fuzzy Hash: 52b89035ebadb671f7503190c8b6089a5e780025a8bf943276ac3f7228f2221f
Instruction Fuzzy Hash: 7D41B275A00610AFEF10AF68DC86F6E77E9EB05710F4481ACF91AAB3D3DA709D018791

Function 00C153DF Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00C1542E
IsWindowEnabled.USER32 ref: 00C1543C
GetForegroundWindow.USER32(?,?,00000001), ref: 00C15449
IsIconic.USER32 ref: 00C15457
IsZoomed.USER32 ref: 00C15465

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c051d280283d1421bb503a4b3ca3146d5250809dd4ba91e8b97088e31e33c5e5
Instruction ID: d76ff9154591c21d64490fbd334e4b4e13efb04d1f34cdedbd25ac4de71fc0f2
Opcode Fuzzy Hash: c051d280283d1421bb503a4b3ca3146d5250809dd4ba91e8b97088e31e33c5e5
Instruction Fuzzy Hash: EC11C431700910AFEB215F26DC44BAE7B99FF96762B04843CF846D7251CB70D9829AA5

Function 00C0C104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BD1CB7,?), ref: 00C0C112
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C0C124

Strings

kernel32.dll, xrefs: 00C0C10D
GetSystemWow64DirectoryW, xrefs: 00C0C11E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: a462c7d44dcbead4f0feb414b20f27d3f197fba96eb61b0ebe092258baf82bc4
Instruction ID: aa7709d756bdf1361bf635e8c7f1d7b4bc93d09ea3022c0efda3403a5ffe9347
Opcode Fuzzy Hash: a462c7d44dcbead4f0feb414b20f27d3f197fba96eb61b0ebe092258baf82bc4
Instruction Fuzzy Hash: 36E0EC79600723DFDB205F25E858B8E76E4FF0A755B50853DE8A9D22A0E778D881C750

Function 00BA3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 910382a624d3e05b14af149f04a3296f2107ed98c204cffa0ebf4134234d0f59
Instruction ID: ce3c388af298c18da6d0346560605637046698242f97a906a803d09f69aa59c1
Opcode Fuzzy Hash: 910382a624d3e05b14af149f04a3296f2107ed98c204cffa0ebf4134234d0f59
Instruction Fuzzy Hash: 41228B716083019FC724DF28C891BAEB7E4EF95710F1449ADF49697391EB71EA04CB92

Function 00C0EF21 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C0EF51
Process32FirstW.KERNEL32(00000000,?), ref: 00C0EF5F

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

Process32NextW.KERNEL32(00000000,?), ref: 00C0F01F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C0F02E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: e3795cbe4c9cbacd1080ad25eed6acd04d38db8ae4c1abceb367323a29ad7112
Instruction ID: 32e2942f9fa7c9daebc45de7642ea8fdc5a92b007b43cab0b25493949012a9d1
Opcode Fuzzy Hash: e3795cbe4c9cbacd1080ad25eed6acd04d38db8ae4c1abceb367323a29ad7112
Instruction Fuzzy Hash: 2A517D71508311ABD720EF24DC85E6FB7E8FF84710F10496DF495972A1EB70A909CB92

Function 00BEE928 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00BEE93A

Strings

|, xrefs: 00BEE96A
(, xrefs: 00BEE980

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 585822686e972a08082a6c5c8f1503afc57dad38a562e63e3eabdf1abd9d0474
Instruction ID: b7f8edfab9f3bce7a54fccc146f86fa2a6a1fcee358468cba22178522c499139
Opcode Fuzzy Hash: 585822686e972a08082a6c5c8f1503afc57dad38a562e63e3eabdf1abd9d0474
Instruction Fuzzy Hash: 68322675A006459FCB28DF5AC48196AB7F1FF48320F15C5AEE4AADB3A1E770E941CB40

Function 00C02404 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C01920,00000000), ref: 00C024F7
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C0252E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 68515e6450b7c7868af1c52b08c06eb7b114d8762061ba632f35942c96dcdd3c
Instruction ID: 9c19f19ac229790953e4b0ee418fff49253a13fed9eee1b4dceb597f063a742b
Opcode Fuzzy Hash: 68515e6450b7c7868af1c52b08c06eb7b114d8762061ba632f35942c96dcdd3c
Instruction Fuzzy Hash: F641C671504209BFEB20DE95DC99FBBB7BCEB40724F10406EF605A61C1D6B09E41D654

Function 00BFB3BF Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BFB3CF
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00BFB429
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00BFB476

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 8a7d993b5c3e69ed009d30795eaf45453ae99a1900088673dfc541007acd683c
Instruction ID: ee8d914f99ce250cccdb385a7f3731c1da0573e781db61388436e0d9f912322f
Opcode Fuzzy Hash: 8a7d993b5c3e69ed009d30795eaf45453ae99a1900088673dfc541007acd683c
Instruction Fuzzy Hash: 3F213D35A10518EFCB00EFA5D884EEEBBF8FF49310F1480A9E905AB361DB319956CB55

Function 00BE8AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00BB0F36: std::exception::exception.LIBCMT ref: 00BB0F6C
Part of subcall function 00BB0F36: __CxxThrowException@8.LIBCMT ref: 00BB0F81

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BE8AED
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BE8B1A
GetLastError.KERNEL32 ref: 00BE8B27

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: aee3ef85168323b1f17adfc2b669f4adce0b3a96702eb9ee52d4cf1b7a76fc25
Instruction ID: f3d92116e47e26b64aeb90f202988db33f625134ae15d732de77c37160b5a98b
Opcode Fuzzy Hash: aee3ef85168323b1f17adfc2b669f4adce0b3a96702eb9ee52d4cf1b7a76fc25
Instruction Fuzzy Hash: AA119DB1514205AFD728AF64DCC5E7BB7F8FB44310B20C1AEF45A92251EB70AC01CA60

Function 00BF4A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00BF4A31
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00BF4A48
FreeSid.ADVAPI32(?), ref: 00BF4A58

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 9a6f2269acae7f76430df225a71a497cd008344f4e93d028d772acd51d765ca7
Instruction ID: 3edc90a553055b46f3f3b9c4be1380e4ed2d60531bb98ee49ad993c9a288a8b0
Opcode Fuzzy Hash: 9a6f2269acae7f76430df225a71a497cd008344f4e93d028d772acd51d765ca7
Instruction Fuzzy Hash: 43F03775A5120CBFDB00DFE09C89AAEBBB8FB08211F0084A9AA01E2191E7706A048B50

Function 00BFA0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C0957D,?,00C1FB84,?), ref: 00BFA121
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C0957D,?,00C1FB84,?), ref: 00BFA133

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: da16ff74c77b023c25c4ea7af4b9593cbda252fd548ae542bfd3a60c56037eab
Instruction ID: 94d71073137f537b59f0e3bac9c8ca96603461c69ab9f78534f7b46f43055f57
Opcode Fuzzy Hash: da16ff74c77b023c25c4ea7af4b9593cbda252fd548ae542bfd3a60c56037eab
Instruction Fuzzy Hash: 07F0E93510422DB7DB109F94CC48FEA73ECFF09351F0081A9F919E3151D6309504CBA1

Function 00BE84F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BE8631), ref: 00BE8508
CloseHandle.KERNEL32(?,?,00BE8631), ref: 00BE851A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b64b86ecba1e8323ebde1d24c8a7c7e542397a8a11ae8298d0914feded100c2e
Instruction ID: f1061629f8cdca75745edfbcf674d1695e1461aae7d34342420e5c6432f711dd
Opcode Fuzzy Hash: b64b86ecba1e8323ebde1d24c8a7c7e542397a8a11ae8298d0914feded100c2e
Instruction Fuzzy Hash: C5E0BF71014910AFE7262B65EC05EB777E9FF44350714C56DB49580470DB615C91DB50

Function 00BBA2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00BB8ED7,?,?,?,00000001), ref: 00BBA2DA
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00BBA2E3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 46697e8273b97d6d25d0146688a9cc65a10a82f1aa89de4094fb6ff1138f18a3
Instruction ID: a567ba00a620ef079df1aad542a8e6f17a0308dc1fe082da9d63f713f6adffdf
Opcode Fuzzy Hash: 46697e8273b97d6d25d0146688a9cc65a10a82f1aa89de4094fb6ff1138f18a3
Instruction Fuzzy Hash: 10B09231054208EBCA002B91EC09BCC3F68FB46BA2F808024F61D84070CB6254528A91

Function 00BBF359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd7d3040d6bdbe25a8bba283c40194377626570640877d9f2a1b2a2ec463284
Instruction ID: 3da046ed6921d6ec5f286328e2ef0e5b29ddda23e3d7d2691cd94472c81f821b
Opcode Fuzzy Hash: bdd7d3040d6bdbe25a8bba283c40194377626570640877d9f2a1b2a2ec463284
Instruction Fuzzy Hash: DF32E322D29F424ED7239639DC72339A299AFB73C4F15D737E819B5DA6EB68C4834100

Function 00BC25AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1871a4a98bb58251c275e6d6c5e317ec5da6d3c57560a9520fe44e45f7a45a77
Instruction ID: 7dc57e88b1b641d698c2d26344fd7cae57dd173a47538e545ee8ab2a01dac68e
Opcode Fuzzy Hash: 1871a4a98bb58251c275e6d6c5e317ec5da6d3c57560a9520fe44e45f7a45a77
Instruction Fuzzy Hash: 38B1F221D3AF414ED723A639883133AB69CAFBB6D5F51D71BFC2674D22EB2185834141

Function 00BF8932 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00BF8944

Part of subcall function 00BB537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00BF9017,00000000,?,?,?,?,00BF91C8,00000000,?), ref: 00BB5383
Part of subcall function 00BB537A: __aulldiv.LIBCMT ref: 00BB53A3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: ab3d7ba5e50c2e668d538042a4cb8bf3b1b6c1fb56dbd9ad684468edbd3509bc
Instruction ID: 344c8bd67975ebc5c25746fd47492db18365261ebca08d5a6bd5ca7d47e78d98
Opcode Fuzzy Hash: ab3d7ba5e50c2e668d538042a4cb8bf3b1b6c1fb56dbd9ad684468edbd3509bc
Instruction Fuzzy Hash: 3B21D236625614CBC729CF25D841B62B3E1EBA5311B688E6CE1E5CB2C0CA74A949CB54

Function 00C0401F Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C0403A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: b2a9b4071aefbf807b06ddce86d4359f4c6bd935b07d2735175f2995635a3e71
Instruction ID: 86929e1af00c1c0dfc4d1c1ed72ba34794e42a0004d272f4ab8568185f22cbaf
Opcode Fuzzy Hash: b2a9b4071aefbf807b06ddce86d4359f4c6bd935b07d2735175f2995635a3e71
Instruction Fuzzy Hash: B0E048712041145FC714AF59D845A9BFBEDEF64765F00C069FD49D7351DA70E841CB90

Function 00BF4CFA Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00BF4D1D

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 6d0f006cf29f55ffce66ba3074d8336568ec1c2f61f1a2c513c0d578f71eafaa
Instruction ID: 281a6c35f17bf451295c8ca6b049776bda07a9e0919a232b4e5b589697b598d4
Opcode Fuzzy Hash: 6d0f006cf29f55ffce66ba3074d8336568ec1c2f61f1a2c513c0d578f71eafaa
Instruction Fuzzy Hash: 19D05EA812420D78FC280B289C1FB772189F382782FA441E97702870D9FAE85C49A035

Function 00BE8A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00BE86B1), ref: 00BE8A93

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 843daba2c59cecf04d457a3574700da04ad01cb1d395500e64c3a2537b17628c
Instruction ID: 4692065fee957720f8c4f3ad730cbfe265810e3e9b63e805a1e827df9cddfabf
Opcode Fuzzy Hash: 843daba2c59cecf04d457a3574700da04ad01cb1d395500e64c3a2537b17628c
Instruction Fuzzy Hash: 35D09E3226450EABEF019EA4DD05EEE3B69EB04B01F408511FE15D51A1C775D935AB60

Function 00BD215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00BD2171

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ff2eb91a89df02db6652a2abb6784e732d3ebf84d478ef4cb413c2f0b2039329
Instruction ID: 0345101f3744a5120c9abb515bfafc8995974875edf93ad1ba9ccef3a9595611
Opcode Fuzzy Hash: ff2eb91a89df02db6652a2abb6784e732d3ebf84d478ef4cb413c2f0b2039329
Instruction Fuzzy Hash: B2C04CF1801509DBCB05DB90D988EEEB7BCBB08304F104596A155F2101E7749B448B71

Function 00BBA2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00BBA2AA

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 319efb88ebac46ef017f2a6cad79a7c9f9d236b4a17f7bc4e4ec528ed4011c33
Instruction ID: 4ed9d475c631e63a92c1307989e75e1847282422f80368c6fd5c0dfdc521e359
Opcode Fuzzy Hash: 319efb88ebac46ef017f2a6cad79a7c9f9d236b4a17f7bc4e4ec528ed4011c33
Instruction Fuzzy Hash: EBA0113000020CABCA002B82EC08A88BFACFA022A0B808020F80C80032CB32A8228A80

Function 00BA8968 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4fe039b311d951423e8ca35995776fb909482f289351d28625debcddeb2349
Instruction ID: 0a0f60f9295482b83a458dbdc1d719c6ebda4e1f06cf5caa79def70273f2a10b
Opcode Fuzzy Hash: cb4fe039b311d951423e8ca35995776fb909482f289351d28625debcddeb2349
Instruction Fuzzy Hash: A42237709085958BCF389A19C4D477DB7F1FF02308FA880EAD8529B9A2DB35DD85C761

Function 00BB2345 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 8ea6ade3176c625aec3e487bd21c410b5c762dab5c7d21d37a5e46bb8a1805b0
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: DDC162322150530BDB2D4B3D84741BEBAE59BA27B235A07DDE8B3CB1D5EE90C564D620

Function 00BB277A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: d66b9dfb9f1bacfc1fbaad8cd75ae2471f31e924677129a00b7c3a894356b256
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 89C151322151930BDB2D4B3E84741BEBAE59BA27B235A07EDE4B2DB1C4EF50C524D620

Function 00BB1AF8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: df015640d575fc42edf6312a6d5f12da62d8e7a288051d69be7a066623772842
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 1DC162322051530BDB2D463D84740BEBEE5DB927B239A0BEDE4B2DB1C4EF50C564D620

Function 00C0791B Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C07970
DeleteObject.GDI32(00000000), ref: 00C07982
DestroyWindow.USER32 ref: 00C07990
GetDesktopWindow.USER32 ref: 00C079AA
GetWindowRect.USER32(00000000), ref: 00C079B1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00C07AF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00C07B02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C07B4A
GetClientRect.USER32(00000000,?), ref: 00C07B56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C07B90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C07BB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C07BC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C07BD0
GlobalLock.KERNEL32(00000000), ref: 00C07BD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C07BE8
GlobalUnlock.KERNEL32(00000000), ref: 00C07BF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C07BF8
GlobalFree.KERNEL32(00000000), ref: 00C07C03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C07C15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00C22CAC,00000000), ref: 00C07C2B
GlobalFree.KERNEL32(00000000), ref: 00C07C3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00C07C61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00C07C80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C07CA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C07E8F

Strings

DISPLAY, xrefs: 00C07CF2
AutoIt v3, xrefs: 00C07B42
, xrefs: 00C07E15
@U=u, xrefs: 00C07C80, 00C07E0F
static, xrefs: 00C07B8A, 00C07CE1

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: 21e4204763681a198e80f0a99b17f30555b37579823738ab7c465a66184b68db
Instruction ID: 30d09320ea64ba3c43686b067ab1042376f4b004f8b1040b9b8b264eaa0f2510
Opcode Fuzzy Hash: 21e4204763681a198e80f0a99b17f30555b37579823738ab7c465a66184b68db
Instruction Fuzzy Hash: D7024C75A00215AFDB14DFA8DC89FAE7BB9FB49310F148168F915AB2A1C770AD41CB60

Function 00C1A60C Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00C1A662
GetSysColorBrush.USER32(0000000F), ref: 00C1A693
GetSysColor.USER32(0000000F), ref: 00C1A69F
SetBkColor.GDI32(?,000000FF), ref: 00C1A6B9
SelectObject.GDI32(?,00000000), ref: 00C1A6C8
InflateRect.USER32(?,000000FF,000000FF), ref: 00C1A6F3
GetSysColor.USER32(00000010), ref: 00C1A6FB
CreateSolidBrush.GDI32(00000000), ref: 00C1A702
FrameRect.USER32(?,?,00000000), ref: 00C1A711
DeleteObject.GDI32(00000000), ref: 00C1A718
InflateRect.USER32(?,000000FE,000000FE), ref: 00C1A763
FillRect.USER32(?,?,00000000), ref: 00C1A795
GetWindowLongW.USER32(?,000000F0), ref: 00C1A7C0

Part of subcall function 00C1A8FC: GetSysColor.USER32(00000012), ref: 00C1A935
Part of subcall function 00C1A8FC: SetTextColor.GDI32(?,?), ref: 00C1A939
Part of subcall function 00C1A8FC: GetSysColorBrush.USER32(0000000F), ref: 00C1A94F
Part of subcall function 00C1A8FC: GetSysColor.USER32(0000000F), ref: 00C1A95A
Part of subcall function 00C1A8FC: GetSysColor.USER32(00000011), ref: 00C1A977
Part of subcall function 00C1A8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C1A985
Part of subcall function 00C1A8FC: SelectObject.GDI32(?,00000000), ref: 00C1A996
Part of subcall function 00C1A8FC: SetBkColor.GDI32(?,00000000), ref: 00C1A99F
Part of subcall function 00C1A8FC: SelectObject.GDI32(?,?), ref: 00C1A9AC
Part of subcall function 00C1A8FC: InflateRect.USER32(?,000000FF,000000FF), ref: 00C1A9CB
Part of subcall function 00C1A8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C1A9E2
Part of subcall function 00C1A8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 00C1A9F7
Part of subcall function 00C1A8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C1AA1F

Strings

@U=u, xrefs: 00C1A7EA

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID: @U=u
API String ID: 3521893082-2594219639
Opcode ID: c17c24ec22503d07531ef1bd676e934812dd237e64a2da3486ae8fd8e456675d
Instruction ID: d6b3af5b25be24d9bcfec6e114093ad0d9ef87dae7e3e3b7895ef08399db785f
Opcode Fuzzy Hash: c17c24ec22503d07531ef1bd676e934812dd237e64a2da3486ae8fd8e456675d
Instruction Fuzzy Hash: 4E917D71009301EFD7119F64DC08BAF7BA9FB8A321F108A2DF966961E0C771D946DB92

Function 00C135D4 Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00C1F910), ref: 00C13690
IsWindowVisible.USER32(?), ref: 00C136B4

Strings

SHOWDROPDOWN, xrefs: 00C13749
GETLINE, xrefs: 00C13A04
ADDSTRING, xrefs: 00C1377F
ISENABLED, xrefs: 00C136D4
GETSELECTED, xrefs: 00C1390C
ISCHECKED, xrefs: 00C138A2
@U=u, xrefs: 00C1394C, 00C13973, 00C139FC
FINDSTRING, xrefs: 00C137DF
EDITPASTE, xrefs: 00C139C8
GETCURRENTCOL, xrefs: 00C13991
GETCURRENTLINE, xrefs: 00C13956
GETLINECOUNT, xrefs: 00C1392F
DELSTRING, xrefs: 00C137B2
HIDEDROPDOWN, xrefs: 00C13769
SENDCOMMANDID, xrefs: 00C13A43
ISVISIBLE, xrefs: 00C136A0
TABLEFT, xrefs: 00C136F0
UNCHECK, xrefs: 00C138EC
SETCURRENTSELECTION, xrefs: 00C1381F
CURRENTTAB, xrefs: 00C13726
SELECTSTRING, xrefs: 00C1386F
CHECK, xrefs: 00C138D6
TABRIGHT, xrefs: 00C13706
GETCURRENTSELECTION, xrefs: 00C1384C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-3469695742
Opcode ID: c6795fccdfe48101e59c57bbb4119261d2087c38f8ea53cad0a3279764a8d2d4
Instruction ID: 5be9a4680349e8bfdf819dec2d11c70b0e73f22902240c5d41c9a86677af5b40
Opcode Fuzzy Hash: c6795fccdfe48101e59c57bbb4119261d2087c38f8ea53cad0a3279764a8d2d4
Instruction Fuzzy Hash: 78D17F702146409BCF14EF14C491AAE7BE5FF96358F1444A8F8965B3E2CB31DE4ADB81

Function 00C075C0 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C075F3
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C076B2
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C076F0
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C07702
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C07748
GetClientRect.USER32(00000000,?), ref: 00C07754
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C07798
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C077A7
GetStockObject.GDI32(00000011), ref: 00C077B7
SelectObject.GDI32(00000000,00000000), ref: 00C077BB
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C077CB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C077D4
DeleteDC.GDI32(00000000), ref: 00C077DD
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C07809
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C07820
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C0785B
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C0786F
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C07880
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C078B0
GetStockObject.GDI32(00000011), ref: 00C078BB
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C078C6
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C078D0

Strings

DISPLAY, xrefs: 00C0779D
AutoIt v3, xrefs: 00C07740
msctls_progress32, xrefs: 00C07851
@U=u, xrefs: 00C0780F
static, xrefs: 00C07792, 00C078AA

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: 4cb69d08a2f3fcf97f7b2427d51dec03b3fd1e35e1443a494348be1c11154541
Instruction ID: 048d1feb6289e29484b916ab4f38e839893535faccb262f4bdb67f27088d8d1e
Opcode Fuzzy Hash: 4cb69d08a2f3fcf97f7b2427d51dec03b3fd1e35e1443a494348be1c11154541
Instruction Fuzzy Hash: 7FA182B1A40615BFEB14DBA8DC4AFAE7BB9FB05711F108118FA15A72E0C770AD41CB60

Function 00C1A8FC Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00C1A935
SetTextColor.GDI32(?,?), ref: 00C1A939
GetSysColorBrush.USER32(0000000F), ref: 00C1A94F
GetSysColor.USER32(0000000F), ref: 00C1A95A
CreateSolidBrush.GDI32(?), ref: 00C1A95F
GetSysColor.USER32(00000011), ref: 00C1A977
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C1A985
SelectObject.GDI32(?,00000000), ref: 00C1A996
SetBkColor.GDI32(?,00000000), ref: 00C1A99F
SelectObject.GDI32(?,?), ref: 00C1A9AC
InflateRect.USER32(?,000000FF,000000FF), ref: 00C1A9CB
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C1A9E2
GetWindowLongW.USER32(00000000,000000F0), ref: 00C1A9F7
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C1AA1F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C1AA46
InflateRect.USER32(?,000000FD,000000FD), ref: 00C1AA64
DrawFocusRect.USER32(?,?), ref: 00C1AA6F
GetSysColor.USER32(00000011), ref: 00C1AA7D
SetTextColor.GDI32(?,00000000), ref: 00C1AA85
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00C1AA99
SelectObject.GDI32(?,00C1A62C), ref: 00C1AAB0
DeleteObject.GDI32(?), ref: 00C1AABB
SelectObject.GDI32(?,?), ref: 00C1AAC1
DeleteObject.GDI32(?), ref: 00C1AAC6
SetTextColor.GDI32(?,?), ref: 00C1AACC
SetBkColor.GDI32(?,?), ref: 00C1AAD6

Strings

@U=u, xrefs: 00C1AA1F

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: 3c657e1464bb3a806f09fac2e381eb664a5188459b751dd24767ee0b95fa3cd1
Instruction ID: 4b8bbd9931b1df02b6c83c2f21dc373c950f6850ed4236cda24c74a6e7fac0f5
Opcode Fuzzy Hash: 3c657e1464bb3a806f09fac2e381eb664a5188459b751dd24767ee0b95fa3cd1
Instruction Fuzzy Hash: E4512B71901208FFDB119FA4DC48BEE7BB9FF09320F218629F915AA2A1D7719A41DF50

Function 00BFAD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BFADAA
GetDriveTypeW.KERNEL32(?,00C1FAC0,?,\\.\,00C1F910), ref: 00BFAE87
SetErrorMode.KERNEL32(00000000,00C1FAC0,?,\\.\,00C1F910), ref: 00BFAFE5

Strings

SSA, xrefs: 00BFAF6E
USB, xrefs: 00BFAF7C
Virtual, xrefs: 00BFAFAD
RAID, xrefs: 00BFAF83
ATAPI, xrefs: 00BFAF59
Network, xrefs: 00BFAEC5
SCSI, xrefs: 00BFAF52
ATA, xrefs: 00BFAF60
FileBackedVirtual, xrefs: 00BFAFB4
SSD, xrefs: 00BFAF12
RAMDisk, xrefs: 00BFAEB1
Fibre, xrefs: 00BFAF75
PhysicalDrive, xrefs: 00BFAE33
Removable, xrefs: 00BFAED9
1394, xrefs: 00BFAF67
MMC, xrefs: 00BFAFA6
CDROM, xrefs: 00BFAEBB
SAS, xrefs: 00BFAF91
SATA, xrefs: 00BFAF98
Unknown, xrefs: 00BFAEA7, 00BFAF4B
Fixed, xrefs: 00BFAECF
\\.\, xrefs: 00BFADFC
iSCSI, xrefs: 00BFAF8A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ef24b34e438e01d370c4b5f8cc974fe3ae131a241c78f10280629175ddb2bb2e
Instruction ID: f6a6bb6444c106e9f9391407cc5bafc2875f8de90c569ad9b56890a00a5128eb
Opcode Fuzzy Hash: ef24b34e438e01d370c4b5f8cc974fe3ae131a241c78f10280629175ddb2bb2e
Instruction Fuzzy Hash: E95122F864420D9BCB08EB14C9D29BDB3F1FB5574072044E6AA0AEB291CB719D49DB53

Function 00B96A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B96A91
__wcsnicmp.LIBCMT ref: 00B96AA9
__wcsnicmp.LIBCMT ref: 00B96AC1
__wcsnicmp.LIBCMT ref: 00B96AD9
__wcsnicmp.LIBCMT ref: 00B96AF1
__wcsnicmp.LIBCMT ref: 00B96B09
__wcsnicmp.LIBCMT ref: 00B96B21
__wcsnicmp.LIBCMT ref: 00B96B35
__wcsnicmp.LIBCMT ref: 00B96B76
__wcsnicmp.LIBCMT ref: 00B96B8A
__wcsnicmp.LIBCMT ref: 00B96B9E
__wcsnicmp.LIBCMT ref: 00B96BB2

Strings

#comments-start, xrefs: 00B96B1B, 00B96B70
Unterminated group of comments, xrefs: 00BCE75C
#OnAutoItStartRegister, xrefs: 00B96AD3
#include-once, xrefs: 00B96AEB
#comments-end, xrefs: 00B96B98
Bad directive syntax error, xrefs: 00BCE673
#requireadmin, xrefs: 00B96ABB
Cannot parse #include, xrefs: 00BCE749
#ce, xrefs: 00B96BAC
#pragma compile, xrefs: 00B96A8B
#cs, xrefs: 00B96B2F, 00B96B84
#include, xrefs: 00B96B03
#notrayicon, xrefs: 00B96AA3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: ac73204a715d2f8bfa9138b980d9114e51b72fcd1ccf8773a7183b952b056359
Instruction ID: 2e69fb57900dd789c6d952ca86835603038bcece373570e2563e21693a056aa1
Opcode Fuzzy Hash: ac73204a715d2f8bfa9138b980d9114e51b72fcd1ccf8773a7183b952b056359
Instruction Fuzzy Hash: 6181E271644215BBCF21AB60CC93FBE77E8EF15710F0440B9F946AA192EBA0DE51D2A1

Function 00C18A07 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C18AF3
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C18B04
CharNextW.USER32(0000014E), ref: 00C18B33
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C18B74
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C18B8A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C18B9B
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00C18BB8
SetWindowTextW.USER32(?,0000014E), ref: 00C18C0A
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00C18C20
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C18C51
_memset.LIBCMT ref: 00C18C76
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00C18CBF
_memset.LIBCMT ref: 00C18D1E
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C18D48
SendMessageW.USER32(?,00001074,?,00000001), ref: 00C18DA0
SendMessageW.USER32(?,0000133D,?,?), ref: 00C18E4D
InvalidateRect.USER32(?,00000000,00000001), ref: 00C18E6F
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C18EB9
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C18EE6
DrawMenuBar.USER32(?), ref: 00C18EF5
SetWindowTextW.USER32(?,0000014E), ref: 00C18F1D

Strings

0, xrefs: 00C18E87
@U=u, xrefs: 00C18AF3, 00C18B04, 00C18B39, 00C18BB8, 00C18C20, 00C18C51, 00C18CBF, 00C18D48, 00C18DA0, 00C18E4D

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$@U=u
API String ID: 1073566785-975001249
Opcode ID: 962262582bf9febf5b94e503604c57128d55bdd8c368dbed547956e848266c6d
Instruction ID: bc8a0be002c4317ef53f9e280bbfcf95c4234cd52932775e2f5b0a116dd33704
Opcode Fuzzy Hash: 962262582bf9febf5b94e503604c57128d55bdd8c368dbed547956e848266c6d
Instruction Fuzzy Hash: 9CE15274905208ABDF109F55DC84EEE7BB9FF06750F10815AFA25AA290DB708A85EF60

Function 00C148F8 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C14A33
GetDesktopWindow.USER32 ref: 00C14A48
GetWindowRect.USER32(00000000), ref: 00C14A4F
GetWindowLongW.USER32(?,000000F0), ref: 00C14AB1
DestroyWindow.USER32(?), ref: 00C14ADD
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C14B06
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C14B24
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00C14B4A
SendMessageW.USER32(?,00000421,?,?), ref: 00C14B5F
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00C14B72
IsWindowVisible.USER32(?), ref: 00C14B92
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00C14BAD
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00C14BC1
GetWindowRect.USER32(?,?), ref: 00C14BD9
MonitorFromPoint.USER32(?,?,00000002), ref: 00C14BFF
GetMonitorInfoW.USER32(00000000,?), ref: 00C14C19
CopyRect.USER32(?,?), ref: 00C14C30
SendMessageW.USER32(?,00000412,00000000), ref: 00C14C9B

Strings

(, xrefs: 00C14C0C
tooltips_class32, xrefs: 00C14AFF
0, xrefs: 00C149DE

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: efa73c465af0c18a5fc7e107817d33bf57afed66fc57308e8165b5a31c0a5bf8
Instruction ID: 2bfd16c25c40e4314229a94459472339daa59f81085fcc5b59b415d9937fa74d
Opcode Fuzzy Hash: efa73c465af0c18a5fc7e107817d33bf57afed66fc57308e8165b5a31c0a5bf8
Instruction Fuzzy Hash: BBB19B70604341AFDB48DF28C884BAEBBE5FF85300F00892CF5999B2A1D771E945DB95

Function 00BF44DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00BF44ED
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00BF4513
_wcscpy.LIBCMT ref: 00BF4541
_wcscmp.LIBCMT ref: 00BF454C
_wcscat.LIBCMT ref: 00BF4562
_wcsstr.LIBCMT ref: 00BF456D
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00BF4589
_wcscat.LIBCMT ref: 00BF45D2
_wcscat.LIBCMT ref: 00BF45D9
_wcsncpy.LIBCMT ref: 00BF4604

Strings

StringFileInfo\, xrefs: 00BF455C
\VarFileInfo\Translation, xrefs: 00BF4581
DefaultLangCodepage, xrefs: 00BF45EC
%u.%u.%u.%u, xrefs: 00BF4667
04090000, xrefs: 00BF45BF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 7538b1fbd727882b7cbbb88c42881b9db48d8c92d16df8d7b278ea6aec6c6b05
Instruction ID: e12708c2a192c5296211652f37cb9a8dc81497f3595c80f8fb4016a4cdb8949a
Opcode Fuzzy Hash: 7538b1fbd727882b7cbbb88c42881b9db48d8c92d16df8d7b278ea6aec6c6b05
Instruction Fuzzy Hash: AC41F5726042047BDB10BB649C47EFF77ECEF46710F0440E9F905E6192EBB49A05A6A5

Function 00B927D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B928BC
GetSystemMetrics.USER32(00000007), ref: 00B928C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B928EF
GetSystemMetrics.USER32(00000008), ref: 00B928F7
GetSystemMetrics.USER32(00000004), ref: 00B9291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B92939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B92949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B9297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B92990
GetClientRect.USER32(00000000,000000FF), ref: 00B929AE
GetStockObject.GDI32(00000011), ref: 00B929CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B929D5

Part of subcall function 00B92344: GetCursorPos.USER32(?), ref: 00B92357
Part of subcall function 00B92344: ScreenToClient.USER32(00C557B0,?), ref: 00B92374
Part of subcall function 00B92344: GetAsyncKeyState.USER32(00000001), ref: 00B92399
Part of subcall function 00B92344: GetAsyncKeyState.USER32(00000002), ref: 00B923A7

SetTimer.USER32(00000000,00000000,00000028,00B91256), ref: 00B929FC

Strings

@U=u, xrefs: 00B929D5
AutoIt v3 GUI, xrefs: 00B92974

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 02d76cee0f082ad5ad72aec3910d0f3c1f7225b0d372ef628024ce9970cdbbb3
Instruction ID: fbe125db2a5be0f66376ac4893ec6a207e847a5a3b9a0b419b3cdd023eb4ea04
Opcode Fuzzy Hash: 02d76cee0f082ad5ad72aec3910d0f3c1f7225b0d372ef628024ce9970cdbbb3
Instruction Fuzzy Hash: 45B14D75A4020AEFDF14DFA8DC95BED7BF5FB08311F108269FA15A62A0DB74A841CB50

Function 00BEC2C0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00BEC2D3
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BEC2E5
SetWindowTextW.USER32(?,?), ref: 00BEC2FC
GetDlgItem.USER32(?,000003EA), ref: 00BEC311
SetWindowTextW.USER32(00000000,?), ref: 00BEC317
GetDlgItem.USER32(?,000003E9), ref: 00BEC327
SetWindowTextW.USER32(00000000,?), ref: 00BEC32D
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00BEC34E
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00BEC368
GetWindowRect.USER32(?,?), ref: 00BEC371
SetWindowTextW.USER32(?,?), ref: 00BEC3DC
GetDesktopWindow.USER32 ref: 00BEC3E2
GetWindowRect.USER32(00000000), ref: 00BEC3E9
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00BEC435
GetClientRect.USER32(?,?), ref: 00BEC442
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00BEC467
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00BEC492

Strings

@U=u, xrefs: 00BEC2E5

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID: @U=u
API String ID: 3869813825-2594219639
Opcode ID: 1d26be5151f5730c40c6fc4b5ace86007da71b67892e4e821c59c8af6c175038
Instruction ID: f1e79844f8389753289665574589cfee9ec5ad3daba973cabbc83772c515d8d0
Opcode Fuzzy Hash: 1d26be5151f5730c40c6fc4b5ace86007da71b67892e4e821c59c8af6c175038
Instruction Fuzzy Hash: 52516A31900749AFDB20DFA9DD89BAEBBF5FF04704F00856CE686A25A0C774A906CB50

Function 00BEA844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00BEA885
__swprintf.LIBCMT ref: 00BEA926
_wcscmp.LIBCMT ref: 00BEA939
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00BEA98E
_wcscmp.LIBCMT ref: 00BEA9CA
GetClassNameW.USER32(?,?,00000400), ref: 00BEAA01
GetDlgCtrlID.USER32(?), ref: 00BEAA53
GetWindowRect.USER32(?,?), ref: 00BEAA89
GetParent.USER32(?), ref: 00BEAAA7
ScreenToClient.USER32(00000000), ref: 00BEAAAE
GetClassNameW.USER32(?,?,00000100), ref: 00BEAB28
_wcscmp.LIBCMT ref: 00BEAB3C
GetWindowTextW.USER32(?,?,00000400), ref: 00BEAB62
_wcscmp.LIBCMT ref: 00BEAB76

Part of subcall function 00BB37AC: _iswctype.LIBCMT ref: 00BB37B4

Strings

%s%u, xrefs: 00BEA920

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 6bb6edf1c04172967245d139c6334175a4adfe792b67d072fd25dc41bfff5679
Instruction ID: 063c30c8a8bd04a24139d2a5cd0a4f275212e0a52e2f95adbac2335a78ad7f72
Opcode Fuzzy Hash: 6bb6edf1c04172967245d139c6334175a4adfe792b67d072fd25dc41bfff5679
Instruction Fuzzy Hash: B8A1CE71204786AFD714DF25C884BEAB7EDFF04314F1086A9F99982191EB30F946CB92

Function 00BEB196 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00BEB1DA
_wcscmp.LIBCMT ref: 00BEB1EB
GetWindowTextW.USER32(00000001,?,00000400), ref: 00BEB213
CharUpperBuffW.USER32(?,00000000), ref: 00BEB230
_wcscmp.LIBCMT ref: 00BEB24E
_wcsstr.LIBCMT ref: 00BEB25F
GetClassNameW.USER32(00000018,?,00000400), ref: 00BEB297
_wcscmp.LIBCMT ref: 00BEB2A7
GetWindowTextW.USER32(00000002,?,00000400), ref: 00BEB2CE
GetClassNameW.USER32(00000018,?,00000400), ref: 00BEB317
_wcscmp.LIBCMT ref: 00BEB327
GetClassNameW.USER32(00000010,?,00000400), ref: 00BEB34F
GetWindowRect.USER32(00000004,?), ref: 00BEB3B8

Strings

@, xrefs: 00BEB1BB
ThumbnailClass, xrefs: 00BEB2A2, 00BEB322

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: af0608ee4bbcf7add6db9d82d1cfd99d301346bf78482e771956c8ce3889c3bc
Instruction ID: 611b27c0cbfce5f5d65830db1ebd2e319843b9cdfbed60ca02ae4ceabf8ac710
Opcode Fuzzy Hash: af0608ee4bbcf7add6db9d82d1cfd99d301346bf78482e771956c8ce3889c3bc
Instruction Fuzzy Hash: B9819D710083869BDB01DF12C885FAB7BE8FF44714F0885A9FD859A0A6DB70DD46CBA1

Function 00C1A1EB Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C1A28B
DestroyWindow.USER32(00000000,?), ref: 00C1A305

Part of subcall function 00B97D2C: _memmove.LIBCMT ref: 00B97D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C1A37F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C1A3A1
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C1A3B4
DestroyWindow.USER32(00000000), ref: 00C1A3D6
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B90000,00000000), ref: 00C1A40D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C1A426
GetDesktopWindow.USER32 ref: 00C1A43F
GetWindowRect.USER32(00000000), ref: 00C1A446
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C1A45E
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C1A476

Part of subcall function 00B925DB: GetWindowLongW.USER32(?,000000EB), ref: 00B925EC

Strings

0, xrefs: 00C1A2A1
tooltips_class32, xrefs: 00C1A378, 00C1A406
@U=u, xrefs: 00C1A3A1, 00C1A3B4, 00C1A426, 00C1A450

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$@U=u$tooltips_class32
API String ID: 1297703922-1130792468
Opcode ID: 41f5e3523be6b08c5dc1bc24fbd20d59cf44676ae36e0c7caef7b27e45b78ef7
Instruction ID: ee819505d6a2e0ff68fe1fd8e336654f574ce06f9c51cc55bcc72bf21b152a77
Opcode Fuzzy Hash: 41f5e3523be6b08c5dc1bc24fbd20d59cf44676ae36e0c7caef7b27e45b78ef7
Instruction Fuzzy Hash: 0071AB71150244AFDB20CF28DC48FAA7BE5FB8A700F44452DF995972A0D770EA86DF22

Function 00C1C668 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B92612: GetWindowLongW.USER32(?,000000EB), ref: 00B92623

DragQueryPoint.SHELL32(?,?), ref: 00C1C691

Part of subcall function 00C1AB69: ClientToScreen.USER32(?,?), ref: 00C1AB92
Part of subcall function 00C1AB69: GetWindowRect.USER32(?,?), ref: 00C1AC08
Part of subcall function 00C1AB69: PtInRect.USER32(?,?,00C1C07E), ref: 00C1AC18

SendMessageW.USER32(?,000000B0,?,?), ref: 00C1C6FA
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C1C705
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C1C728
_wcscat.LIBCMT ref: 00C1C758
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C1C76F
SendMessageW.USER32(?,000000B0,?,?), ref: 00C1C788
SendMessageW.USER32(?,000000B1,?,?), ref: 00C1C79F
SendMessageW.USER32(?,000000B1,?,?), ref: 00C1C7C1
DragFinish.SHELL32(?), ref: 00C1C7C8
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C1C8BB

Strings

@GUI_DRAGID, xrefs: 00C1C833
@GUI_DRAGFILE, xrefs: 00C1C86A
@GUI_DROPID, xrefs: 00C1C7E8
@U=u, xrefs: 00C1C6FA, 00C1C76F, 00C1C788, 00C1C79F, 00C1C7C1

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 169749273-762882726
Opcode ID: d77a3dd1349b9797eed15fee338ac3f1985052a1b0287091644a754f6c646a24
Instruction ID: 7a4addf1e40fff163855c32ab9bef995f7ebf104f255114f16eee5c2ba2fbe97
Opcode Fuzzy Hash: d77a3dd1349b9797eed15fee338ac3f1985052a1b0287091644a754f6c646a24
Instruction Fuzzy Hash: 1E613871508300AFCB01EF64DC85E9FBBE8FB89710F10496EF595961A1DB709A49CB92

Function 00BEAFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00BEB03E

Strings

[LAST, xrefs: 00BEB0EB
ACTIVE, xrefs: 00BEB019
[CLASS:, xrefs: 00BEB08E
[ALL, xrefs: 00BEB0E4
CLASSNAME=, xrefs: 00BEB07B
LAST, xrefs: 00BEB003
HANDLE=, xrefs: 00BEB037
ALL, xrefs: 00BEB0D2
REGEXP=, xrefs: 00BEB053
[ACTIVE, xrefs: 00BEB02B
[REGEXPTITLE:, xrefs: 00BEB066
[HANDLE:, xrefs: 00BEB04A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: c2643f6a49ad5f38639886762046fadd7d0bee8bbccdaf609281410724df6c09
Instruction ID: eafc37a38dca19067ced8b9c69352b677adb0d4f25873d0a8b27be4944a6ef02
Opcode Fuzzy Hash: c2643f6a49ad5f38639886762046fadd7d0bee8bbccdaf609281410724df6c09
Instruction Fuzzy Hash: 5A316031A88205A6DF24FA61CD53EEF77E4AF10B10F6006B9B452710E2EF61AF04D691

Function 00C05113 Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00C05129
LoadCursorW.USER32(00000000,00007F00), ref: 00C05134
LoadCursorW.USER32(00000000,00007F03), ref: 00C0513F
LoadCursorW.USER32(00000000,00007F8B), ref: 00C0514A
LoadCursorW.USER32(00000000,00007F01), ref: 00C05155
LoadCursorW.USER32(00000000,00007F81), ref: 00C05160
LoadCursorW.USER32(00000000,00007F88), ref: 00C0516B
LoadCursorW.USER32(00000000,00007F80), ref: 00C05176
LoadCursorW.USER32(00000000,00007F86), ref: 00C05181
LoadCursorW.USER32(00000000,00007F83), ref: 00C0518C
LoadCursorW.USER32(00000000,00007F85), ref: 00C05197
LoadCursorW.USER32(00000000,00007F82), ref: 00C051A2
LoadCursorW.USER32(00000000,00007F84), ref: 00C051AD
LoadCursorW.USER32(00000000,00007F04), ref: 00C051B8
LoadCursorW.USER32(00000000,00007F02), ref: 00C051C3
LoadCursorW.USER32(00000000,00007F89), ref: 00C051CE
GetCursorInfo.USER32(?), ref: 00C051DE

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: af83380a81e3dc631233d8698dca381182025ae7765b9c17188cb80cbb51a3c5
Instruction ID: 75181c7415be39ed78f8f75ba3cf6253061bede916b5aa37a579933262fa8174
Opcode Fuzzy Hash: af83380a81e3dc631233d8698dca381182025ae7765b9c17188cb80cbb51a3c5
Instruction Fuzzy Hash: 9231F2B0D483196BDB109FB69C899AFBEE8FF04750F50453AE51DE7280DA78A501CFA1

Function 00C143FB Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C1448D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C144D8

Strings

GETTEXT, xrefs: 00C1462B
COLLAPSE, xrefs: 00C1451E
SELECT, xrefs: 00C14689
GETSELECTED, xrefs: 00C145E8
GETITEMCOUNT, xrefs: 00C145BA
UNCHECK, xrefs: 00C146B4
ISCHECKED, xrefs: 00C1465B
CHECK, xrefs: 00C144F8
EXISTS, xrefs: 00C14541
@U=u, xrefs: 00C144D8
EXPAND, xrefs: 00C1458A
GETTOTALCOUNT, xrefs: 00C144BF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-383632319
Opcode ID: 3e91d0fb40aea579808dac0ce9b050763bb170a989c4fc32d1a2cf4bb97cb9a6
Instruction ID: 8238d52bbfc5ec3a37c2d025452a4e6fce0d8cdca829bf1c10f1f1f60177286e
Opcode Fuzzy Hash: 3e91d0fb40aea579808dac0ce9b050763bb170a989c4fc32d1a2cf4bb97cb9a6
Instruction Fuzzy Hash: 55917D702047119BCF18EF15C491AAABBE5FF96314F1444ACF8965B3A2CB30ED4ADB81

Function 00C1B832 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C1B8E8
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00C16B43,?), ref: 00C1B944
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C1B97D
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C1B9C0
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C1B9F7
FreeLibrary.KERNEL32(?), ref: 00C1BA03
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C1BA13
DestroyIcon.USER32(?), ref: 00C1BA22
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C1BA3F
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C1BA4B

Part of subcall function 00BB307D: __wcsicmp_l.LIBCMT ref: 00BB3106

Strings

.dll, xrefs: 00C1B8A1
.exe, xrefs: 00C1B87E
@U=u, xrefs: 00C1BA2B
.icl, xrefs: 00C1B85E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl$@U=u
API String ID: 1212759294-1639919054
Opcode ID: 0e6d4ef54fb9f1666c4e119cf1d2d82c175fdba631b870170886a37e8b0c3aa9
Instruction ID: 0d62a5b88dd1842c0f2b88fc456902bc2a6300019bc7f1ec44a23a7b9f6e1063
Opcode Fuzzy Hash: 0e6d4ef54fb9f1666c4e119cf1d2d82c175fdba631b870170886a37e8b0c3aa9
Instruction Fuzzy Hash: DF61CF71900618BAEB14DF65CC41BFE77A8FF0A710F108169F925D61D0DB74AE81EBA0

Function 00BFA3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00B99997: __itow.LIBCMT ref: 00B999C2
Part of subcall function 00B99997: __swprintf.LIBCMT ref: 00B99A0C

CharLowerBuffW.USER32(?,?), ref: 00BFA455
GetDriveTypeW.KERNEL32 ref: 00BFA4A2
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BFA4EA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BFA521
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BFA54F

Part of subcall function 00B97D2C: _memmove.LIBCMT ref: 00B97D66

Strings

closed, xrefs: 00BFA469, 00BFA472
close cd wait, xrefs: 00BFA53A
wait, xrefs: 00BFA50C
open, xrefs: 00BFA47C
set cd door , xrefs: 00BFA4F0
close, xrefs: 00BFA45B
type cdaudio alias cd wait, xrefs: 00BFA4CD
open , xrefs: 00BFA4B1

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: ea2074a219ecffb85e1ced354aa4fb9927e69f70d4882e790870b212472d4f41
Instruction ID: 283eb91911528c8fc2f97b754efa40a98020b37608393aa42257d4cf2d50fad3
Opcode Fuzzy Hash: ea2074a219ecffb85e1ced354aa4fb9927e69f70d4882e790870b212472d4f41
Instruction Fuzzy Hash: FE514BB11147049FCB04EF24C89196EB7E8FF94718F1089ADF89957261DB31EE0ACB52

Function 00BFD925 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00BFDA9C
_wcscat.LIBCMT ref: 00BFDAB4
_wcscat.LIBCMT ref: 00BFDAC6
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BFDADB
SetCurrentDirectoryW.KERNEL32(?), ref: 00BFDAEF
GetFileAttributesW.KERNEL32(?), ref: 00BFDB07
SetFileAttributesW.KERNEL32(?,00000000), ref: 00BFDB21
SetCurrentDirectoryW.KERNEL32(?), ref: 00BFDB33

Strings

*.*, xrefs: 00BFDB72

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: b00bccad023da1f6195ddc7282224cebca41cec5265f2b1f42841a6be9293fc6
Instruction ID: e53615bd374f553eb4036bd70f144d6e1ba1a7a98281ff730b9e29640340f975
Opcode Fuzzy Hash: b00bccad023da1f6195ddc7282224cebca41cec5265f2b1f42841a6be9293fc6
Instruction Fuzzy Hash: 0B81A4725082489FCB24EF64C8849BAB7E6FF89310F1888AEF685D7251D770D948CB52

Function 00C1C216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B92612: GetWindowLongW.USER32(?,000000EB), ref: 00B92623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C1C266
GetFocus.USER32 ref: 00C1C276
GetDlgCtrlID.USER32(00000000), ref: 00C1C281
_memset.LIBCMT ref: 00C1C3AC
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C1C3D7
GetMenuItemCount.USER32(?), ref: 00C1C3F7
GetMenuItemID.USER32(?,00000000), ref: 00C1C40A
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C1C43E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C1C486
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C1C4BE
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00C1C4F3

Strings

0, xrefs: 00C1C3A4

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: f794e50e96140ba191949e8d9d30b0ef65e37df57daaa987c78135c5256b7829
Instruction ID: 5bfed785bc14687b27cb4bac315c1f6a8b5d173c1143db4eb2180b2998404b10
Opcode Fuzzy Hash: f794e50e96140ba191949e8d9d30b0ef65e37df57daaa987c78135c5256b7829
Instruction Fuzzy Hash: 71818D75648301AFDB10DF14C894AFE7BE9FB8A314F00452DF9A5932A1C730D985EBA2

Function 00C0742F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C074A4
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C074B0
CreateCompatibleDC.GDI32(?), ref: 00C074BC
SelectObject.GDI32(00000000,?), ref: 00C074C9
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00C0751D
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C07559
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C0757D
SelectObject.GDI32(00000006,?), ref: 00C07585
DeleteObject.GDI32(?), ref: 00C0758E
DeleteDC.GDI32(00000006), ref: 00C07595
ReleaseDC.USER32(00000000,?), ref: 00C075A0

Strings

(, xrefs: 00C07525

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 3cfdf7260b9a2744356b1ef805a71815fc2ff0ac4f280483e392ea706cbbc77e
Instruction ID: 1cfa21abcb0e3a7650cfdd4e934718c2b6e05fbe0e28b886833ef434da03a560
Opcode Fuzzy Hash: 3cfdf7260b9a2744356b1ef805a71815fc2ff0ac4f280483e392ea706cbbc77e
Instruction Fuzzy Hash: EF513671A04209AFCB15CFA8CC85FEEBBB9FF49310F14852DF99A97251D631A941CB60

Function 00BF501C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00BF5021

Part of subcall function 00BB034A: timeGetTime.WINMM(?,753DB400,00BA0FDB), ref: 00BB034E

Sleep.KERNEL32(0000000A), ref: 00BF504D
EnumThreadWindows.USER32(?,Function_00064FCF,00000000), ref: 00BF5071
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00BF5093
SetActiveWindow.USER32 ref: 00BF50B2
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00BF50C0
SendMessageW.USER32(00000010,00000000,00000000), ref: 00BF50DF
Sleep.KERNEL32(000000FA), ref: 00BF50EA
IsWindow.USER32 ref: 00BF50F6
EndDialog.USER32(00000000), ref: 00BF5107

Strings

BUTTON, xrefs: 00BF5085
@U=u, xrefs: 00BF50C0, 00BF50DF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 0116b49cdf893871b5d618a136aa9756b191691dcbab510dffe4f88a459b8ec5
Instruction ID: 9deb3c3af505dc27ccd1a069af37c84abad9c069c61f4d103662ad941d75305f
Opcode Fuzzy Hash: 0116b49cdf893871b5d618a136aa9756b191691dcbab510dffe4f88a459b8ec5
Instruction Fuzzy Hash: E321AF74240B08AFE7119B30EC89B7E3AA9FB45346F444168F305A32B0EA315D958761

Function 00BF91FE Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF9008: __time64.LIBCMT ref: 00BF9012

Part of subcall function 00B95045: _fseek.LIBCMT ref: 00B9505D

__wsplitpath.LIBCMT ref: 00BF92DD

Part of subcall function 00BB426E: __wsplitpath_helper.LIBCMT ref: 00BB42AE

_wcscpy.LIBCMT ref: 00BF92F0
_wcscat.LIBCMT ref: 00BF9303
__wsplitpath.LIBCMT ref: 00BF9328
_wcscat.LIBCMT ref: 00BF933E
_wcscat.LIBCMT ref: 00BF9351

Part of subcall function 00BF904E: _memmove.LIBCMT ref: 00BF9087
Part of subcall function 00BF904E: _memmove.LIBCMT ref: 00BF9096

_wcscmp.LIBCMT ref: 00BF9298

Part of subcall function 00BF97DD: _wcscmp.LIBCMT ref: 00BF98CD
Part of subcall function 00BF97DD: _wcscmp.LIBCMT ref: 00BF98E0

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00BF94FB
_wcsncpy.LIBCMT ref: 00BF956E
DeleteFileW.KERNEL32(?,?), ref: 00BF95A4
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00BF95BA
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BF95CB
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BF95DD

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: db4c946697010309e304b8d88ca7b0124b6e391a99c276f2a5458887f3e78eab
Instruction ID: 4731b3e7bfcfd421c064794d8eb55bc708b38f2d928db9adaf8b613e96fb6048
Opcode Fuzzy Hash: db4c946697010309e304b8d88ca7b0124b6e391a99c276f2a5458887f3e78eab
Instruction Fuzzy Hash: 14C128B1D0021DAACF21DFA5CC85AEEBBF9EF55310F0040EAB609E7151DB709A498F65

Function 00B96BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00BB0AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00B96C6C,?,00008000), ref: 00BB0AF3

Part of subcall function 00B948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B948A1,?,?,00B937C0,?), ref: 00B948CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B96D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00B96E5A

Part of subcall function 00B959CD: _wcscpy.LIBCMT ref: 00B95A05

Part of subcall function 00BB37BD: _iswctype.LIBCMT ref: 00BB37C5

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00BCE7EF
Error opening the file, xrefs: 00BCE796, 00BCE811
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00BCE77A
Bad directive syntax error, xrefs: 00BCEAF6
AU3!, xrefs: 00B96CC1
EA06, xrefs: 00BCE7AB
Unterminated string, xrefs: 00BCEB3D

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: b1743588ae48e04e9f25496d4229e326e7dc8d3ba00d48abebd7f0bf24ef2d84
Instruction ID: b731a1246125461ccf4f6964c05f10ecf5054e016f730d459a485c22ec76eb66
Opcode Fuzzy Hash: b1743588ae48e04e9f25496d4229e326e7dc8d3ba00d48abebd7f0bf24ef2d84
Instruction Fuzzy Hash: B90279311083419FCB24EF24C881AAFBBE5FF99354F0449ADF49A972A1DB70D949CB52

Function 00B945DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B945F9
GetMenuItemCount.USER32(00C55890), ref: 00BCD6FD
GetMenuItemCount.USER32(00C55890), ref: 00BCD7AD
GetCursorPos.USER32(?), ref: 00BCD7F1
SetForegroundWindow.USER32(00000000), ref: 00BCD7FA
TrackPopupMenuEx.USER32(00C55890,00000000,?,00000000,00000000,00000000), ref: 00BCD80D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BCD819

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 4d5e3d708cac2e246d391f566b7508a6cb3fa5912c44a07ac4d214dade691629
Instruction ID: 0c88a91a812b90bd17d647e9d33a094aeceb15293c9abbb1e5b3e83b45b7126c
Opcode Fuzzy Hash: 4d5e3d708cac2e246d391f566b7508a6cb3fa5912c44a07ac4d214dade691629
Instruction Fuzzy Hash: 6A71C174600209BEEB249F54DC85FAABFE5FB05364F2042BAF519A61E0C7B16C50DB90

Function 00C10EA5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C0FE38,?,?), ref: 00C10EBC

Strings

HKEY_CURRENT_USER, xrefs: 00C10F9B
HKCC, xrefs: 00C10F8A
HKEY_USERS, xrefs: 00C10FBD
HKU, xrefs: 00C10FCE
HKEY_CURRENT_CONFIG, xrefs: 00C10F79
HKCR, xrefs: 00C10F64
HKEY_LOCAL_MACHINE, xrefs: 00C10F25
HKLM, xrefs: 00C10F3A
HKCU, xrefs: 00C10FAC
HKEY_CLASSES_ROOT, xrefs: 00C10F4F

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 061c332ef6790ab0d1377df65122d52c2b23d8b1b4b4a0a3fc0a75d3126e61d4
Instruction ID: c424cd41d0db9402f05099b4d04275a28042ba076333721fe910a1b63762403c
Opcode Fuzzy Hash: 061c332ef6790ab0d1377df65122d52c2b23d8b1b4b4a0a3fc0a75d3126e61d4
Instruction Fuzzy Hash: 96416A7051025A8BCF20EF50D891AFF3BA0FF16350F1444A4FC621B292DB75DA9AEB60

Function 00C174ED Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C17590
CreateCompatibleDC.GDI32(00000000), ref: 00C17597
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C175AA
SelectObject.GDI32(00000000,00000000), ref: 00C175B2
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C175BD
DeleteDC.GDI32(00000000), ref: 00C175C6
GetWindowLongW.USER32(?,000000EC), ref: 00C175D0
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00C175E4
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00C175F0

Strings

@U=u, xrefs: 00C175AA
static, xrefs: 00C17528

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: @U=u$static
API String ID: 2559357485-3553413495
Opcode ID: 0b5a1d6db5b19b94262c8f2f20d10eeba9b50b130951f72f40d74eeb1071e8d8
Instruction ID: 6484aa819d2850532b7baa563b03ad7730ff0dd99c91bc262db29500f9e20b24
Opcode Fuzzy Hash: 0b5a1d6db5b19b94262c8f2f20d10eeba9b50b130951f72f40d74eeb1071e8d8
Instruction Fuzzy Hash: 29314931104215ABDB129F64DC08FDE3B6AFF0A360F114328FA25A61A0C731D962EB64

Function 00BEFAD2 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BCE5F9,00000010,?,Bad directive syntax error,00C1F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00BEFAF3
LoadStringW.USER32(00000000,?,00BCE5F9,00000010), ref: 00BEFAFA

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

_wprintf.LIBCMT ref: 00BEFB2D
__swprintf.LIBCMT ref: 00BEFB4F
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00BEFBBE

Strings

., xrefs: 00BEFBA4
Line %d (File "%s"):, xrefs: 00BEFB64
%s (%d) : ==> %s.: %s %s, xrefs: 00BEFB28
Line %d:, xrefs: 00BEFB49
Error: , xrefs: 00BEFB8C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 9c5788b51fc0596e4f31d38e29c443b274ca5beafab69c2cd6dbe15ea68d29e8
Instruction ID: 0f36cc48337f775bde2483b87359f7bfec310b4cfb22159daccb8a8fd43aa8d4
Opcode Fuzzy Hash: 9c5788b51fc0596e4f31d38e29c443b274ca5beafab69c2cd6dbe15ea68d29e8
Instruction Fuzzy Hash: EB21733195421AABCF22EFA0CC56FEE77B9FF15300F0444B6F515620A1DB719A18DB51

Function 00BF536E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00B97D2C: _memmove.LIBCMT ref: 00B97D66

Part of subcall function 00B97A84: _memmove.LIBCMT ref: 00B97B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00BF53D7
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00BF53ED
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BF53FE
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00BF5410
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00BF5421

Strings

alias PlayMe, xrefs: 00BF53B0
close PlayMe, xrefs: 00BF53E8, 00BF5415
play PlayMe, xrefs: 00BF541C
status PlayMe mode, xrefs: 00BF53D2
play PlayMe wait, xrefs: 00BF540B
open , xrefs: 00BF5386

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 88a1528414d39fe917fbeada63d014c98a1a58da6a0a6685ea6fba1d7fbc280e
Instruction ID: a37cffbcdad466ec1d56a202793084dd2c3816891b086d9a86de1806a457a99b
Opcode Fuzzy Hash: 88a1528414d39fe917fbeada63d014c98a1a58da6a0a6685ea6fba1d7fbc280e
Instruction Fuzzy Hash: CC1182319A012D79DB20B761CC9ADFF7AFCFB91B40F0004B9B501A20D5EE601D49C5A0

Function 00BF46F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BF4713
gethostname.WSOCK32(?,00000100), ref: 00BF472D
gethostbyname.WSOCK32(?), ref: 00BF473A
_wcscpy.LIBCMT ref: 00BF4762
_memmove.LIBCMT ref: 00BF4775
inet_ntoa.WSOCK32(?), ref: 00BF4780
_strcat.LIBCMT ref: 00BF478E
_wcscpy.LIBCMT ref: 00BF47A5
WSACleanup.WSOCK32 ref: 00BF47B3
_wcscpy.LIBCMT ref: 00BF47C1

Strings

0.0.0.0, xrefs: 00BF475C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: b9e8b615414cd6187943a30456a68bc1e38ad2dacb85b25fca5da3ba899a1767
Instruction ID: d9887bd4c3672752b4ddf6778bd2d0df000039622b60270d885939195ea08f8d
Opcode Fuzzy Hash: b9e8b615414cd6187943a30456a68bc1e38ad2dacb85b25fca5da3ba899a1767
Instruction Fuzzy Hash: AA11A131504118ABDB20B7209C4AFFF77E8EB03711F0541F9F50597091EFB09A868790

Function 00BFD619 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99997: __itow.LIBCMT ref: 00B999C2
Part of subcall function 00B99997: __swprintf.LIBCMT ref: 00B99A0C

CoInitialize.OLE32(00000000), ref: 00BFD676
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00BFD709
SHGetDesktopFolder.SHELL32(?), ref: 00BFD71D
CoCreateInstance.OLE32(00C22D7C,00000000,00000001,00C48C1C,?), ref: 00BFD769
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00BFD7D8
CoTaskMemFree.OLE32(?,?), ref: 00BFD830
_memset.LIBCMT ref: 00BFD86D
SHBrowseForFolderW.SHELL32(?), ref: 00BFD8A9
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00BFD8CC
CoTaskMemFree.OLE32(00000000), ref: 00BFD8D3
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00BFD90A
CoUninitialize.OLE32(00000001,00000000), ref: 00BFD90C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 226e376e7982fe90415d6a71ed935776f5db9054bed644a71fb1c420602305d3
Instruction ID: af0796c179935c5f4c306c473ac7477bf8da3a95aa58918166b44bdbfea86ecc
Opcode Fuzzy Hash: 226e376e7982fe90415d6a71ed935776f5db9054bed644a71fb1c420602305d3
Instruction Fuzzy Hash: 93B1EF75A00109AFDB14DFA4C888EAEBBF9FF49314B1484A9F509EB251DB31ED45CB50

Function 00BF034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BF03C8
SetKeyboardState.USER32(?), ref: 00BF0433
GetAsyncKeyState.USER32(000000A0), ref: 00BF0453
GetKeyState.USER32(000000A0), ref: 00BF046A
GetAsyncKeyState.USER32(000000A1), ref: 00BF0499
GetKeyState.USER32(000000A1), ref: 00BF04AA
GetAsyncKeyState.USER32(00000011), ref: 00BF04D6
GetKeyState.USER32(00000011), ref: 00BF04E4
GetAsyncKeyState.USER32(00000012), ref: 00BF050D
GetKeyState.USER32(00000012), ref: 00BF051B
GetAsyncKeyState.USER32(0000005B), ref: 00BF0544
GetKeyState.USER32(0000005B), ref: 00BF0552

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2936242ae32e21b6b9b776e6df371e601a728028f81329cee46a3cff79b652f3
Instruction ID: 6e0ed920d1e4977f064edf584fe55ecb0658abf8c32b4865e60d31fb27ae40e8
Opcode Fuzzy Hash: 2936242ae32e21b6b9b776e6df371e601a728028f81329cee46a3cff79b652f3
Instruction Fuzzy Hash: A351C52491878C2AFB34FBA484507BEBFF4DF11380F4885D996C2571D3DA649A4CCB61

Function 00BEC529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00BEC545
GetWindowRect.USER32(00000000,?), ref: 00BEC557
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00BEC5B5
GetDlgItem.USER32(?,00000002), ref: 00BEC5C0
GetWindowRect.USER32(00000000,?), ref: 00BEC5D2
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00BEC626
GetDlgItem.USER32(?,000003E9), ref: 00BEC634
GetWindowRect.USER32(00000000,?), ref: 00BEC645
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00BEC688
GetDlgItem.USER32(?,000003EA), ref: 00BEC696
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00BEC6B3
InvalidateRect.USER32(?,00000000,00000001), ref: 00BEC6C0

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: fa8eff4ddb26451eb932286ccb0c260477e5fe2a080106002d3a8402a38973aa
Instruction ID: 4ce45c57a0c908550965b00eac432cafd23cd41e808e879a634b2836483d907d
Opcode Fuzzy Hash: fa8eff4ddb26451eb932286ccb0c260477e5fe2a080106002d3a8402a38973aa
Instruction Fuzzy Hash: 89510C71B00205AFDB18CFA9DD89BAEBBBAFB89311F14816DF515D72A0D770AD018B50

Function 00B9201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B91B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B92036,?,00000000,?,?,?,?,00B916CB,00000000,?), ref: 00B91B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00B920D3
KillTimer.USER32(-00000001,?,?,?,?,00B916CB,00000000,?,?,00B91AE2,?,?), ref: 00B9216E
DestroyAcceleratorTable.USER32(00000000), ref: 00BCBE26
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B916CB,00000000,?,?,00B91AE2,?,?), ref: 00BCBE57
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B916CB,00000000,?,?,00B91AE2,?,?), ref: 00BCBE6E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B916CB,00000000,?,?,00B91AE2,?,?), ref: 00BCBE8A
DeleteObject.GDI32(00000000), ref: 00BCBE9C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 6876b2248b9154b5869dbd9b5768e5ad290f86d955ebb72346f4ed3ea92a828d
Instruction ID: 11b39581dcd73ae282a193a46dee6f5d5b3c3063d87dbe96a3b1c35ca461ace7
Opcode Fuzzy Hash: 6876b2248b9154b5869dbd9b5768e5ad290f86d955ebb72346f4ed3ea92a828d
Instruction Fuzzy Hash: 9D619B35900B11EFDF259F14D959F6EB7F2FB44312F5088BCE542AAAA0C770A891DB80

Function 00B921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00B925DB: GetWindowLongW.USER32(?,000000EB), ref: 00B925EC

GetSysColor.USER32(0000000F), ref: 00B921D3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 00c5600bdd3a0a418e4786bfc5eb1961700e3c2621d1bf19ef20e4381ebc328b
Instruction ID: 11359cbef4e9827f98c4b525830429377b519fba6938b3beba317dceac5b2844
Opcode Fuzzy Hash: 00c5600bdd3a0a418e4786bfc5eb1961700e3c2621d1bf19ef20e4381ebc328b
Instruction Fuzzy Hash: B4415F31504540FADF255F28EC88BBD3BA6EB16731F2482B9FD658A1E5C7318C82DB61

Function 00C18677 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C18731

Strings

@U=u, xrefs: 00C18767

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: e5aced1223332a45862884fea2191e45e59110d84585fc682a0391161232cf7c
Instruction ID: 9f0a3b7d061835d5cae448d8766f18c10b35fa69aa91e694d217181df7bd2a60
Opcode Fuzzy Hash: e5aced1223332a45862884fea2191e45e59110d84585fc682a0391161232cf7c
Instruction Fuzzy Hash: FA518470908205BEEF209B69CC85BDD7B64EB07350F604525FA25E61E1CF71EAD8EB90

Function 00B92B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00BCC477
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BCC499
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BCC4B1
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00BCC4CF
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BCC4F0
DestroyIcon.USER32(00000000), ref: 00BCC4FF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BCC51C
DestroyIcon.USER32(?), ref: 00BCC52B

Part of subcall function 00C1A4E1: DeleteObject.GDI32(00000000), ref: 00C1A51A

Strings

@U=u, xrefs: 00BCC4F0, 00BCC51C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID: @U=u
API String ID: 2819616528-2594219639
Opcode ID: be1b6e7088c3eb51f7f41d2c9dde4627fc6a98790f3303cd0d217b2703fd838c
Instruction ID: 0dfaaf0a777789da1a67c4172c61fd3c577c80179a1e6fc091098c662a431603
Opcode Fuzzy Hash: be1b6e7088c3eb51f7f41d2c9dde4627fc6a98790f3303cd0d217b2703fd838c
Instruction Fuzzy Hash: 4E514974A00209AFDF24DF24DC95FAA3BF5EB58711F1085ACF90697290D770AD91DB60

Function 00B99997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00B999C2
__swprintf.LIBCMT ref: 00B99A0C
__i64tow.LIBCMT ref: 00BCF93F

Strings

True, xrefs: 00BCF900
False, xrefs: 00BCF907
0x%p, xrefs: 00BCF921
%.15g, xrefs: 00B99A06

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: fd6501d1dcb8de32678d1b9377b4936aff2bf642d9e24a51c066acd85c3aed64
Instruction ID: 289a06e1544e2a8d1c22a95e185a94b4153b76414fbe13d8a680c30849bd1b85
Opcode Fuzzy Hash: fd6501d1dcb8de32678d1b9377b4936aff2bf642d9e24a51c066acd85c3aed64
Instruction Fuzzy Hash: 9241D171614206AFDF24AF78DC82FBA77E9EB44310F2044FEE54AD7291EA719942CB11

Function 00C17184 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C1719C
CreateMenu.USER32 ref: 00C171B7
SetMenu.USER32(?,00000000), ref: 00C171C6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C17253
IsMenu.USER32(?), ref: 00C17269
CreatePopupMenu.USER32 ref: 00C17273
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C172A0
DrawMenuBar.USER32 ref: 00C172A8

Strings

F, xrefs: 00C17294
0, xrefs: 00C17192

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 38023df2ff7316affab1f962f1848faa1445369001706376cc9ef02129d9b627
Instruction ID: 202a1cb0ff2f33df0280b10ad55b49fddc98f54cb524e5bc7f57ff25e2da56fa
Opcode Fuzzy Hash: 38023df2ff7316affab1f962f1848faa1445369001706376cc9ef02129d9b627
Instruction Fuzzy Hash: BD413678A01209EFDB10DF64D884BDA7BF6FF4A310F144229F919A7360D770AA51DBA0

Function 00BE9251 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

Part of subcall function 00BEAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00BEAEC7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00BE92D6
GetDlgCtrlID.USER32 ref: 00BE92E1
GetParent.USER32 ref: 00BE92FD
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BE9300
GetDlgCtrlID.USER32(?), ref: 00BE9309
GetParent.USER32(?), ref: 00BE9325
SendMessageW.USER32(00000000,?,?,00000111), ref: 00BE9328

Strings

ComboBox, xrefs: 00BE925E
ListBox, xrefs: 00BE9293
@U=u, xrefs: 00BE9328

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 585e00fba1840e48a848568995c7ee3ed8d97bfadd4ef34fb63fffa54d188d0e
Instruction ID: aa16417d5ebe0843fe9e2b19b5ea0d8c6b17587dfeacdbf86dccd0afd6642c58
Opcode Fuzzy Hash: 585e00fba1840e48a848568995c7ee3ed8d97bfadd4ef34fb63fffa54d188d0e
Instruction Fuzzy Hash: A121C470A40248BBDF04EB65CC85EFDBBB4FF45310F1041A9B961972E1DB755819DB20

Function 00BE933C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

Part of subcall function 00BEAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00BEAEC7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00BE93BF
GetDlgCtrlID.USER32 ref: 00BE93CA
GetParent.USER32 ref: 00BE93E6
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BE93E9
GetDlgCtrlID.USER32(?), ref: 00BE93F2
GetParent.USER32(?), ref: 00BE940E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00BE9411

Strings

ComboBox, xrefs: 00BE9349
ListBox, xrefs: 00BE937E
@U=u, xrefs: 00BE9411

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: d57c80af5ba36335c4b314b4c4cdfb6dc1a3b0f1cd7b4c59db8a343e200a90ff
Instruction ID: 2fcb5b8b2c2f1b6e9a7c23d98c32590282ac9d37250dc4b2084637c8ff60400d
Opcode Fuzzy Hash: d57c80af5ba36335c4b314b4c4cdfb6dc1a3b0f1cd7b4c59db8a343e200a90ff
Instruction Fuzzy Hash: B421A174A40248BBDF10ABA5CCC5FFEBBB8EF45300F1041A9B951972A1DB75592ADB20

Function 00BE9425 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00BE9431
GetClassNameW.USER32(00000000,?,00000100), ref: 00BE9446
_wcscmp.LIBCMT ref: 00BE9458
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00BE94D3

Strings

SHELLDLL_DefView, xrefs: 00BE9452
smallicons, xrefs: 00BE949B
largeicons, xrefs: 00BE9467
list, xrefs: 00BE94B5
@U=u, xrefs: 00BE94D3
details, xrefs: 00BE9481

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-1428604138
Opcode ID: d36a6e0340e60d943c2419f5b3d84be0e1fc25ae73b2cb096b72013e81c1b5bf
Instruction ID: 7f097589e4d4518cc23706556e2784e4f191543a5e988281ef315e60a4ccfa92
Opcode Fuzzy Hash: d36a6e0340e60d943c2419f5b3d84be0e1fc25ae73b2cb096b72013e81c1b5bf
Instruction Fuzzy Hash: 8111067624C347BAF6203621AC06EE633ECEF15B20B2041A6F904A41E1FBA1685B8594

Function 00BF281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BF283A
GetMenuItemInfoW.USER32(00C55890,000000FF,00000000,00000030), ref: 00BF289B
SetMenuItemInfoW.USER32(00C55890,00000004,00000000,00000030), ref: 00BF28D1
Sleep.KERNEL32(000001F4), ref: 00BF28E3
GetMenuItemCount.USER32(?), ref: 00BF2927
GetMenuItemID.USER32(?,00000000), ref: 00BF2943
GetMenuItemID.USER32(?,-00000001), ref: 00BF296D
GetMenuItemID.USER32(?,?), ref: 00BF29B2
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BF29F8
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BF2A0C
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BF2A2D

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: b551194b0f9ab7d7325595a972fd98423a74a53c0b634ab4de3f8a0f9523c8b6
Instruction ID: b5bf2926527b279ff6e0880feefdb5442786cd9d948a149c43fb778755474a3e
Opcode Fuzzy Hash: b551194b0f9ab7d7325595a972fd98423a74a53c0b634ab4de3f8a0f9523c8b6
Instruction Fuzzy Hash: EC619D7490024DAFDF21CF64CC98ABE7BF9FB45304F1440A9EA42A3251D771AD5ADB21

Function 00C16F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C16FD7
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C16FDA
GetWindowLongW.USER32(?,000000F0), ref: 00C16FFE
_memset.LIBCMT ref: 00C1700F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C17021
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C17099

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 3c3cd275a660fb1ee412107619327e3d61b71adc1174dc112bd45b34f19cf3f2
Instruction ID: f193d407dea324735a652041d228e324ef779b2d488901b1921a740547eedd28
Opcode Fuzzy Hash: 3c3cd275a660fb1ee412107619327e3d61b71adc1174dc112bd45b34f19cf3f2
Instruction Fuzzy Hash: 27614C75A00208AFDB11DFA4CC81FEE77F8EB0A710F144159FA15AB2A1C771AE95EB50

Function 00BE6EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BE6F15
SafeArrayAllocData.OLEAUT32(?), ref: 00BE6F6E
VariantInit.OLEAUT32(?), ref: 00BE6F80
SafeArrayAccessData.OLEAUT32(?,?), ref: 00BE6FA0
VariantCopy.OLEAUT32(?,?), ref: 00BE6FF3
SafeArrayUnaccessData.OLEAUT32(?), ref: 00BE7007
VariantClear.OLEAUT32(?), ref: 00BE701C
SafeArrayDestroyData.OLEAUT32(?), ref: 00BE7029
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BE7032
VariantClear.OLEAUT32(?), ref: 00BE7044
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BE704F

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: b589da5580a3d57eab52913e6472d47b297f0cd4c4f28f56559a2fb9d262bf3c
Instruction ID: 205165b3b3f548db86cc10ea5a15e9afe6a088bc9bc73d7abf04637f8b4f0ba7
Opcode Fuzzy Hash: b589da5580a3d57eab52913e6472d47b297f0cd4c4f28f56559a2fb9d262bf3c
Instruction Fuzzy Hash: 924150359001199FCF10DF69D844AEEBBF9FF48354F00C0A9E915A7261DB30A946CB90

Function 00C1D4A8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B92612: GetWindowLongW.USER32(?,000000EB), ref: 00B92623

GetSystemMetrics.USER32(0000000F), ref: 00C1D4E6
GetSystemMetrics.USER32(0000000F), ref: 00C1D506
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C1D741
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C1D75F
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C1D780
ShowWindow.USER32(00000003,00000000), ref: 00C1D79F
InvalidateRect.USER32(?,00000000,00000001), ref: 00C1D7C4
DefDlgProcW.USER32(?,00000005,?,?), ref: 00C1D7E7

Strings

@U=u, xrefs: 00C1D75F, 00C1D780

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID: @U=u
API String ID: 1211466189-2594219639
Opcode ID: c60dbd303e7295ed190b1f39c7e101b10d24494286270a7dc0e55c482549bf7c
Instruction ID: b28afc8568c480f0781fdff98e298fc6c2ff5300ed102bbb374149982e40fa2c
Opcode Fuzzy Hash: c60dbd303e7295ed190b1f39c7e101b10d24494286270a7dc0e55c482549bf7c
Instruction Fuzzy Hash: 6EB19A75600229EFDF14CF28C9C57ED7BB1BF06701F08C069EC5A9A299D734AA90DB90

Function 00B92E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B92EAE

Part of subcall function 00B91DB3: GetClientRect.USER32(?,?), ref: 00B91DDC
Part of subcall function 00B91DB3: GetWindowRect.USER32(?,?), ref: 00B91E1D
Part of subcall function 00B91DB3: ScreenToClient.USER32(?,?), ref: 00B91E45

GetDC.USER32 ref: 00BCCEB2
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BCCEC5
SelectObject.GDI32(00000000,00000000), ref: 00BCCED3
SelectObject.GDI32(00000000,00000000), ref: 00BCCEE8
ReleaseDC.USER32(?,00000000), ref: 00BCCEF0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BCCF7B

Strings

@U=u, xrefs: 00BCCEC5
U, xrefs: 00BCCE50

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: c45c9eff936ed4d7fc1449a0c78b75252f223d3204df4e086cb22abf3025f125
Instruction ID: f8bb88f6d5b49d27cfe9e0cbf880cae517ca13a89b6c3f4cf857ec0c7c4032da
Opcode Fuzzy Hash: c45c9eff936ed4d7fc1449a0c78b75252f223d3204df4e086cb22abf3025f125
Instruction Fuzzy Hash: 46718E30900205EFCF218F64C880BAA7BF6FF59361F1482ADFD595A2A6D7319885DB60

Function 00C05848 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C058A9
inet_addr.WSOCK32(?), ref: 00C058EE
gethostbyname.WSOCK32(?), ref: 00C058FA
IcmpCreateFile.IPHLPAPI ref: 00C05908
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C05978
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C0598E
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C05A03
WSACleanup.WSOCK32 ref: 00C05A09

Strings

Ping, xrefs: 00C0592C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ca29d2a0e689023cb0516f5fb4f1e0e47ee38ab25aca1b7cff9373c1be2268b5
Instruction ID: b68413a95cba4e08848e218e752d4440398db61be3639953b5a44f8ad936ee92
Opcode Fuzzy Hash: ca29d2a0e689023cb0516f5fb4f1e0e47ee38ab25aca1b7cff9373c1be2268b5
Instruction Fuzzy Hash: FA517C31604600EFDB21AF25C845B6EB7E4EB49720F148569F9A69B2E1DB30E901DF51

Function 00BFB54F Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BFB55C
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00BFB5D2
GetLastError.KERNEL32 ref: 00BFB5DC
SetErrorMode.KERNEL32(00000000,READY), ref: 00BFB649

Strings

NOTREADY, xrefs: 00BFB608
READONLY, xrefs: 00BFB614
READY, xrefs: 00BFB622
INVALID, xrefs: 00BFB61B
UNKNOWN, xrefs: 00BFB601

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a5486a7aa2852e6580d3abf3413f284055b2d82905d49e5a45d52dccad8bf6a0
Instruction ID: 28aee841a9629be40abfe6a207b489a310bdaa2c1de9b71b71988e545716119b
Opcode Fuzzy Hash: a5486a7aa2852e6580d3abf3413f284055b2d82905d49e5a45d52dccad8bf6a0
Instruction Fuzzy Hash: 1D318F35A00209AFDB10EF68CC95EBDB7F4FF15740F1480A9E605D7291DB709A4ACB90

Function 00C16205 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C1621D
GetDC.USER32(00000000), ref: 00C16225
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C16230
ReleaseDC.USER32(00000000,00000000), ref: 00C1623C
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C16278
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C16289
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C1905C,?,?,000000FF,00000000,?,000000FF,?), ref: 00C162C3
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C162E3

Strings

@U=u, xrefs: 00C16289, 00C162E3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: 2a40236456ddf611c155b9963af795bc04cecd6ee37a297120761363b9b0f301
Instruction ID: c4907e79b90de2a2ac4d6f81bf20f9bf3f4d5152dc6c6f001d264837b12a2348
Opcode Fuzzy Hash: 2a40236456ddf611c155b9963af795bc04cecd6ee37a297120761363b9b0f301
Instruction Fuzzy Hash: 3C317F72201214BFEB118F50DC4AFEA3BA9FF0A765F044069FE08DA191C6759D42CBB4

Function 00C089C0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C089EC
CoInitialize.OLE32(00000000), ref: 00C08A19
CoUninitialize.OLE32 ref: 00C08A23
GetRunningObjectTable.OLE32(00000000,?), ref: 00C08B23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C08C50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00C22C0C), ref: 00C08C84
CoGetObject.OLE32(?,00000000,00C22C0C,?), ref: 00C08CA7
SetErrorMode.KERNEL32(00000000), ref: 00C08CBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C08D3A
VariantClear.OLEAUT32(?), ref: 00C08D4A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 1064040734af9b05dcab6b84ca955bb957a33425f14499b9b757ec6cfba97144
Instruction ID: 530002df974d2555729144b6fc22fe50e398a7528ba87e57302027c2ee689842
Opcode Fuzzy Hash: 1064040734af9b05dcab6b84ca955bb957a33425f14499b9b757ec6cfba97144
Instruction Fuzzy Hash: C4C12B71208305AFD700DF64C884A6BB7E9FF89744F00896DF5899B291DB71ED4ACB52

Function 00BF7A39 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00BF7B15

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: bcafd981b6d164dca740e71f05f1321f128f56158133c728b3a76e9ac612a541
Instruction ID: db88a53618a4d45a5c5819dd90d4a82b24a9cc682d64d0d297d922b693123b96
Opcode Fuzzy Hash: bcafd981b6d164dca740e71f05f1321f128f56158133c728b3a76e9ac612a541
Instruction Fuzzy Hash: 70B18CB594821A9FDB10DF98D884BBEB7F4EF09321F2044E9E601E7251DB74A949CB90

Function 00BF14FF Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BF1521
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00BF0599,?,00000001), ref: 00BF1535
GetWindowThreadProcessId.USER32(00000000), ref: 00BF153C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BF0599,?,00000001), ref: 00BF154B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BF155D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BF0599,?,00000001), ref: 00BF1576
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BF0599,?,00000001), ref: 00BF1588
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00BF0599,?,00000001), ref: 00BF15CD
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00BF0599,?,00000001), ref: 00BF15E2
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00BF0599,?,00000001), ref: 00BF15ED

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 331418a44324dee039eab306bbf90e42b5012b2e9d9e72c7c02c4ed1e484e154
Instruction ID: f8e535fed939b927ef72f37ed10bdb93658b531811b823790da4b0c8b49dff64
Opcode Fuzzy Hash: 331418a44324dee039eab306bbf90e42b5012b2e9d9e72c7c02c4ed1e484e154
Instruction Fuzzy Hash: B0319F75900308EBDB10DF98EC44BBD37EAFBA5322F508959FA06D71A0D77099858B60

Function 00BEA473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00BEA844), ref: 00BEA782

Strings

INSTANCE, xrefs: 00BEA690
NAME, xrefs: 00BEA5B4
CLASSNN, xrefs: 00BEA524
TEXT, xrefs: 00BEA6B9
CLASS, xrefs: 00BEA501
REGEXPCLASS, xrefs: 00BEA547

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 14c4105b296b81b93080edeae4a3af9ae73a2312b5e5e121fa88713802ec1b92
Instruction ID: 6a25c0c89d771cca66e9fe497bec6106be51f636c0fb90de02064a2a89af1b7b
Opcode Fuzzy Hash: 14c4105b296b81b93080edeae4a3af9ae73a2312b5e5e121fa88713802ec1b92
Instruction Fuzzy Hash: 4691AE70A00545ABCB18EF61C4D1BEAFBF8FF05300F1481A9E85AA7151DF30B999DBA1

Function 00C1B385 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(0126CF60), ref: 00C1B41F
IsWindowEnabled.USER32(0126CF60), ref: 00C1B42B
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00C1B50F
SendMessageW.USER32(0126CF60,000000B0,?,?), ref: 00C1B546
IsDlgButtonChecked.USER32(?,?), ref: 00C1B583
GetWindowLongW.USER32(0126CF60,000000EC), ref: 00C1B5A5
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C1B5BD

Strings

@U=u, xrefs: 00C1B50F, 00C1B546, 00C1B5BD

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: @U=u
API String ID: 4072528602-2594219639
Opcode ID: 7283423addf6e6c7601d87862e5695b45ca22f1ec05184a8f826143e45f2b5af
Instruction ID: eb8d562b66556976c819b7f870f931f718e20704554548f471cc4f7b6168c7c7
Opcode Fuzzy Hash: 7283423addf6e6c7601d87862e5695b45ca22f1ec05184a8f826143e45f2b5af
Instruction Fuzzy Hash: F7718F34601204EFDB219F55C894FEA7BB5FF0A310F548069F9A5972A2C731AE91EF50

Function 00C16DB2 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C16E56
SendMessageW.USER32(?,00001036,00000000,?), ref: 00C16E6A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C16E84
_wcscat.LIBCMT ref: 00C16EDF
SendMessageW.USER32(?,00001057,00000000,?), ref: 00C16EF6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C16F24

Strings

SysListView32, xrefs: 00C16E28
@U=u, xrefs: 00C16E56, 00C16E6A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: @U=u$SysListView32
API String ID: 307300125-1908207174
Opcode ID: 8cfb027245dedceb857afc930bee5b1ae32aaee3cd0e5927e64680d1e9fc065d
Instruction ID: 940f0480e456aa1255e9106c3b7ed709a306af465fc504d9712b963b01defbdd
Opcode Fuzzy Hash: 8cfb027245dedceb857afc930bee5b1ae32aaee3cd0e5927e64680d1e9fc065d
Instruction Fuzzy Hash: 5341A074A00308ABEB21DFA4DC85BEE77F8EF09350F10056AF594E7291D2729EC59B64

Function 00C162FF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00C1631E
GetWindowLongW.USER32(0126CF60,000000F0), ref: 00C16351
GetWindowLongW.USER32(0126CF60,000000F0), ref: 00C16386
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00C163B8
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00C163E2
GetWindowLongW.USER32(?,000000F0), ref: 00C163F3
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C1640D

Strings

@U=u, xrefs: 00C1631E, 00C163B8, 00C163E2

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 5784ce1b14bed0f86808afbb1f07b0b3005d603ad271f1ae7a03cbacc1e5b67d
Instruction ID: 3da70747f88e28c59e4074bc066aa229115358ad11d2528fac0742981f02189b
Opcode Fuzzy Hash: 5784ce1b14bed0f86808afbb1f07b0b3005d603ad271f1ae7a03cbacc1e5b67d
Instruction Fuzzy Hash: F5311234644250AFDB21CF18DC94F9937E1FB4A720F1941A8F5219F2B2CB72A981EB51

Function 00C08D5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00C1F910), ref: 00C08E3D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00C1F910), ref: 00C08E71
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C08FEB
SysFreeString.OLEAUT32(?), ref: 00C09015

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: dd9525a7edc2987ffd82a3ecc90d9d6e63d5a8ebe7545df820a6edb141608cf6
Instruction ID: c0e0ac572d8db1ea847e1700b75b833dd95a3a56b59e7f8409e2446693c34a05
Opcode Fuzzy Hash: dd9525a7edc2987ffd82a3ecc90d9d6e63d5a8ebe7545df820a6edb141608cf6
Instruction Fuzzy Hash: F8F14E71A00209EFDF04DFA4C888EAEB7B9FF49315F108499F555AB291DB31AE46CB50

Function 00C0F7A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C0F7C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C0F95C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C0F980
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C0F9C0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C0F9E2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C0FB5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C0FB90
CloseHandle.KERNEL32(?), ref: 00C0FBBF
CloseHandle.KERNEL32(?), ref: 00C0FC36

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 954af709d76a544b3e3c7fdec3db639afda477e15c7f94f72eeee95269066217
Instruction ID: 1373492b91fe1c2a48a3cf6c9a382bf5a33d589b12d9cae1377ea3118fea5629
Opcode Fuzzy Hash: 954af709d76a544b3e3c7fdec3db639afda477e15c7f94f72eeee95269066217
Instruction Fuzzy Hash: C4E1A3316042019FCB24EF24C891B6ABBE5BF85350F1485BDF8999B2E2CB71DD46CB52

Function 00BF4D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF46AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BF36DB,?), ref: 00BF46CC

Part of subcall function 00BF46AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BF36DB,?), ref: 00BF46E5

Part of subcall function 00BF4AD8: GetFileAttributesW.KERNELBASE(?,00BF374F), ref: 00BF4AD9

lstrcmpiW.KERNEL32(?,?), ref: 00BF4DE7
_wcscmp.LIBCMT ref: 00BF4E01
MoveFileW.KERNEL32(?,?), ref: 00BF4E1C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 81238c207328d82314629eaa80c402a77ca010dbb3e36328724b4c9d0b4853bc
Instruction ID: ea5f0b5e2206c77462a0b97f5e72843a29396f2e51241e4fb7ca78313701e843
Opcode Fuzzy Hash: 81238c207328d82314629eaa80c402a77ca010dbb3e36328724b4c9d0b4853bc
Instruction Fuzzy Hash: 345146B24083859BC724DB94D8819EFB7ECEF85300F50496EF689D3151EF74A68C8756

Function 00BE9930 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BEAC37: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BEAC57
Part of subcall function 00BEAC37: GetCurrentThreadId.KERNEL32 ref: 00BEAC5E
Part of subcall function 00BEAC37: AttachThreadInput.USER32(00000000,?,00BE9945,?,00000001), ref: 00BEAC65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00BE9950
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00BE996D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00BE9970
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BE9979
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00BE9997
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00BE999A
MapVirtualKeyW.USER32(00000025,00000000), ref: 00BE99A3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00BE99BA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00BE99BD

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: fdd9aa1f9dd55136942d1213fdebd9d4e670e673f5bf0c622eea0cdbe890aeae
Instruction ID: 833d652fc8e59b9f302f2b11fd3a62cb23c869bf8d453196ae3fa493ea5d715b
Opcode Fuzzy Hash: fdd9aa1f9dd55136942d1213fdebd9d4e670e673f5bf0c622eea0cdbe890aeae
Instruction Fuzzy Hash: E3114471510608BFF6106F21CC89FAE3F6CFB4D751F204029F204AB0A0CAF22C51CAA4

Function 00BE8BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00BE8864,00000B00,?,?), ref: 00BE8BEC
HeapAlloc.KERNEL32(00000000,?,00BE8864,00000B00,?,?), ref: 00BE8BF3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BE8864,00000B00,?,?), ref: 00BE8C08
GetCurrentProcess.KERNEL32(?,00000000,?,00BE8864,00000B00,?,?), ref: 00BE8C10
DuplicateHandle.KERNEL32(00000000,?,00BE8864,00000B00,?,?), ref: 00BE8C13
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00BE8864,00000B00,?,?), ref: 00BE8C23
GetCurrentProcess.KERNEL32(00BE8864,00000000,?,00BE8864,00000B00,?,?), ref: 00BE8C2B
DuplicateHandle.KERNEL32(00000000,?,00BE8864,00000B00,?,?), ref: 00BE8C2E
CreateThread.KERNEL32(00000000,00000000,00BE8C54,00000000,00000000,00000000), ref: 00BE8C48

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 089ba7ce93978d97b10f25ca6bea9b1fd8d222e801e33e9e1189f579c3215acc
Instruction ID: 3f8cbe3537e83c7c4fa0a8ee727e427f131263e324e70e4e54ab69defe45c03d
Opcode Fuzzy Hash: 089ba7ce93978d97b10f25ca6bea9b1fd8d222e801e33e9e1189f579c3215acc
Instruction Fuzzy Hash: 4801ACB5240344FFE610AB65DC49F9F3BACFB89711F108425FA05DB1A1CA7498018A20

Function 00C09228 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C0927C
VariantInit.OLEAUT32(?), ref: 00C0934D
VariantInit.OLEAUT32(?), ref: 00C0944E
VariantClear.OLEAUT32(?), ref: 00C09458
VariantClear.OLEAUT32(?), ref: 00C094B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00C09431
Null Object assignment in FOR..IN loop, xrefs: 00C092DD, 00C0940B, 00C094C3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 2b117f48ea90f657b344b326da31b6b498bbde2e971e6ed69c126e2379c6040b
Instruction ID: 0e4750cb31c2ce2a0f6dab7136408d65c8c94d74791740ce22a63c300026d3d3
Opcode Fuzzy Hash: 2b117f48ea90f657b344b326da31b6b498bbde2e971e6ed69c126e2379c6040b
Instruction Fuzzy Hash: E791C071A00219ABDF20DFA5CC44FAEB7B8EF45710F108569F515AB2D1D7709A46CFA0

Function 00C09872 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00BE7432: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BE736C,80070057,?,?,?,00BE777D), ref: 00BE744F
Part of subcall function 00BE7432: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BE736C,80070057,?,?), ref: 00BE746A
Part of subcall function 00BE7432: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BE736C,80070057,?,?), ref: 00BE7478
Part of subcall function 00BE7432: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BE736C,80070057,?), ref: 00BE7488

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00C0991B
_memset.LIBCMT ref: 00C09928
_memset.LIBCMT ref: 00C09A6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00C09A97
CoTaskMemFree.OLE32(?), ref: 00C09AA2

Strings

NULL Pointer assignment, xrefs: 00C09AF0

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 936114b6ac1220d667d0b76fb5bca59e24d905003d860f62bdb15f7c09ad67f5
Instruction ID: 33cf12e0eaa7b198a87bec7940ca3e7a4e8f158f14120a5d7179547be7f026b8
Opcode Fuzzy Hash: 936114b6ac1220d667d0b76fb5bca59e24d905003d860f62bdb15f7c09ad67f5
Instruction Fuzzy Hash: EE912871D00229ABDF20DFA5DC85ADEBBB8FF09710F108169F519A7291DB709A45CFA0

Function 00C0EA47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00BF3C99: CreateToolhelp32Snapshot.KERNEL32 ref: 00BF3CBE
Part of subcall function 00BF3C99: Process32FirstW.KERNEL32(00000000,?), ref: 00BF3CCC
Part of subcall function 00BF3C99: CloseHandle.KERNEL32(00000000), ref: 00BF3D96

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C0EAB8
GetLastError.KERNEL32 ref: 00C0EACB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C0EAFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C0EB77
GetLastError.KERNEL32(00000000), ref: 00C0EB82
CloseHandle.KERNEL32(00000000), ref: 00C0EBB7

Strings

SeDebugPrivilege, xrefs: 00C0EAD6

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b007106d5d082a46b7a5f3648577567df822c1758c4857bf41e07b03b1caa12b
Instruction ID: 918020faf07b29d77e62f973f489f5544b67be119ffed862539573ef78c5982e
Opcode Fuzzy Hash: b007106d5d082a46b7a5f3648577567df822c1758c4857bf41e07b03b1caa12b
Instruction Fuzzy Hash: F841AB302442019FDB14EF64CC95F6EB7E5EF90314F1884ADF9469B2E2DBB5A904CB89

Function 00C1B6D2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00C557B0,00000000,0126CF60,?,?,00C557B0,?,00C1B5DC,?,?), ref: 00C1B746
EnableWindow.USER32(?,00000000), ref: 00C1B76A
ShowWindow.USER32(00C557B0,00000000,0126CF60,?,?,00C557B0,?,00C1B5DC,?,?), ref: 00C1B7CA
ShowWindow.USER32(?,00000004,?,00C1B5DC,?,?), ref: 00C1B7DC
EnableWindow.USER32(?,00000001), ref: 00C1B800
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00C1B823

Strings

@U=u, xrefs: 00C1B823

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: f71b3d92a1495df9dd9807a8990e4b08ef8fe4d5df41bdfca4f64e6ca2dca036
Instruction ID: eaa5bdaa4daca4477e2b00578662ba838221312db3059366c71a91a263d1212c
Opcode Fuzzy Hash: f71b3d92a1495df9dd9807a8990e4b08ef8fe4d5df41bdfca4f64e6ca2dca036
Instruction Fuzzy Hash: F3413C34600144EFDB22CF24C489BD47BE5BB4A714F1881A9F9598F2A2C731AD86DFA1

Function 00BF302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00BF30CD

Strings

question, xrefs: 00BF3086
blank, xrefs: 00BF304F
stop, xrefs: 00BF309E
warning, xrefs: 00BF30B6
info, xrefs: 00BF306E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: df0ca346deac101c6a8b928c2980e4b2bc29f6739b5e3c9eed2e2d1ec7ea1486
Instruction ID: 19382c9bc820610d9e410dd36ffc8d735ca23d3e38c50a91b0ffc8618b29763c
Opcode Fuzzy Hash: df0ca346deac101c6a8b928c2980e4b2bc29f6739b5e3c9eed2e2d1ec7ea1486
Instruction Fuzzy Hash: B311EB3560930BBAE720AA74DC82FBE77DCEF05B60F1040ABF600A7281DEB55F4945A0

Function 00BF4339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00BF4353
LoadStringW.USER32(00000000), ref: 00BF435A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00BF4370
LoadStringW.USER32(00000000), ref: 00BF4377
_wprintf.LIBCMT ref: 00BF439D
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BF43BB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00BF4398

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: b5359b7bb30f9077afcb0786f26067dee62de1cae31976fb051b8eb57207f394
Instruction ID: e12c2f8cb4df573eb0de3b1219a8acb7d04686f8d4722a71d569aff36db31767
Opcode Fuzzy Hash: b5359b7bb30f9077afcb0786f26067dee62de1cae31976fb051b8eb57207f394
Instruction Fuzzy Hash: C00121F6900208BFD711EB909D89FFB776CE709301F0045A5BB05E2051DA749E854B74

Function 00B92A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00BCC347,00000004,00000000,00000000,00000000), ref: 00B92ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00BCC347,00000004,00000000,00000000,00000000,000000FF), ref: 00B92B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00BCC347,00000004,00000000,00000000,00000000), ref: 00BCC39A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00BCC347,00000004,00000000,00000000,00000000), ref: 00BCC406

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: cbc61c1a926e7f3e9e7b76b425dfc7460106372046d9fbc9f3641cdc6299a40d
Instruction ID: 3cc8a56223445c25a61a4b547c43d97d1e971c6337448188e5cb936f453f7d48
Opcode Fuzzy Hash: cbc61c1a926e7f3e9e7b76b425dfc7460106372046d9fbc9f3641cdc6299a40d
Instruction Fuzzy Hash: 0341C732A04A80BACF398B289CD8B6E7FD1FB96310F14C8FDE04796561C6719882D711

Function 00BF716F Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00BF7186

Part of subcall function 00BB0F36: std::exception::exception.LIBCMT ref: 00BB0F6C
Part of subcall function 00BB0F36: __CxxThrowException@8.LIBCMT ref: 00BB0F81

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00BF71BD
EnterCriticalSection.KERNEL32(?), ref: 00BF71D9
_memmove.LIBCMT ref: 00BF7227
_memmove.LIBCMT ref: 00BF7244
LeaveCriticalSection.KERNEL32(?), ref: 00BF7253
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00BF7268
InterlockedExchange.KERNEL32(?,000001F6), ref: 00BF7287

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: d805e13685730d93eefdab5929bc551d640d65cc57758de11ccb24c0f344872e
Instruction ID: 38778bd40bec1ef4cb8c0f9854cd3bddc8037c2074da56dedd3a701e77a794c4
Opcode Fuzzy Hash: d805e13685730d93eefdab5929bc551d640d65cc57758de11ccb24c0f344872e
Instruction Fuzzy Hash: C1314D71A04205EBCB10AF94DC85ABF77B8FF45710F1481E9F904AB256DB709A15CBA0

Function 00BFEBAF Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00B99997: __itow.LIBCMT ref: 00B999C2
Part of subcall function 00B99997: __swprintf.LIBCMT ref: 00B99A0C

Part of subcall function 00BAFE06: _wcscpy.LIBCMT ref: 00BAFE29

_wcstok.LIBCMT ref: 00BFED20
_wcscpy.LIBCMT ref: 00BFEDAF
_memset.LIBCMT ref: 00BFEDE2

Strings

X, xrefs: 00BFEE1F

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: eb160f0ad1fec2a3d7b7ab797a7a23803f021875d650f8a7aa7eb6871d0029e5
Instruction ID: ed1c87297ab00e123f5aaee2ad03d2ed933919379bbeaacf7511aef3ad7b37cd
Opcode Fuzzy Hash: eb160f0ad1fec2a3d7b7ab797a7a23803f021875d650f8a7aa7eb6871d0029e5
Instruction Fuzzy Hash: ADC16F355083049FDB64EF24C885AAAB7E4FF85310F0449BDF599972A2DB70ED09CB82

Function 00C06C19 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00C06D16
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C06D37
WSAGetLastError.WSOCK32(00000000), ref: 00C06D4A
htons.WSOCK32(?), ref: 00C06E00
inet_ntoa.WSOCK32(?), ref: 00C06DBD

Part of subcall function 00BEABF4: _strlen.LIBCMT ref: 00BEABFE
Part of subcall function 00BEABF4: _memmove.LIBCMT ref: 00BEAC20

_strlen.LIBCMT ref: 00C06E5A
_memmove.LIBCMT ref: 00C06EC3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 58dbba0ff747646b8d70520d8a704e1d905c7f290e152105ac7a74dacdd3b761
Instruction ID: 2f5b60ba031854a6a8032debc4e83253f9c76c79e15e9f780e1dcbb836b29b76
Opcode Fuzzy Hash: 58dbba0ff747646b8d70520d8a704e1d905c7f290e152105ac7a74dacdd3b761
Instruction Fuzzy Hash: E581CD31104300ABDB20EF24CC86E6BB7E9EF84714F14496CF5659B2E2DB71AE05CB91

Function 00B91424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864a12abb0cc6cfdd980390fc7efe2336cfab2644976636f7f306a952f4ddc02
Instruction ID: c655526cac0fb677ae2867e3d83340bc44389a51a256551deafaae5bac53e3b3
Opcode Fuzzy Hash: 864a12abb0cc6cfdd980390fc7efe2336cfab2644976636f7f306a952f4ddc02
Instruction Fuzzy Hash: 05715C7090010AEFDF049F99CC85EBEBBB9FF89310F218599E915AA351C730AA51DF64

Function 00C0F532 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C0F55C
_memset.LIBCMT ref: 00C0F625
ShellExecuteExW.SHELL32(?), ref: 00C0F66A

Part of subcall function 00B99997: __itow.LIBCMT ref: 00B999C2
Part of subcall function 00B99997: __swprintf.LIBCMT ref: 00B99A0C

Part of subcall function 00BAFE06: _wcscpy.LIBCMT ref: 00BAFE29

GetProcessId.KERNEL32(00000000), ref: 00C0F6E1
CloseHandle.KERNEL32(00000000), ref: 00C0F710

Strings

@, xrefs: 00C0F639

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 83062b443fea63c0572e8c209ac50689b7418a9b148074398df8cef3e59ea22a
Instruction ID: e7d611228f957773b866c02f519e9131de7f3b7f94fe9bd859004cb71024e872
Opcode Fuzzy Hash: 83062b443fea63c0572e8c209ac50689b7418a9b148074398df8cef3e59ea22a
Instruction Fuzzy Hash: 60619175A006199FCF14DF58C8819AEBBF5FF48310F1484ADE856AB7A1CB31AD41CB94

Function 00BF127E Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BF12BD
GetKeyboardState.USER32(?), ref: 00BF12D2
SetKeyboardState.USER32(?), ref: 00BF1333
PostMessageW.USER32(?,00000101,00000010,?), ref: 00BF1361
PostMessageW.USER32(?,00000101,00000011,?), ref: 00BF1380
PostMessageW.USER32(?,00000101,00000012,?), ref: 00BF13C6
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00BF13E9

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5b5cd5ce739d53a69d2fe5b8cd22c7595ac2748d64e9c937303f4e7861c63f1d
Instruction ID: 0d5ba7017b72f5eea04f35f07ef3eebf249a77efd72eebfcbe0cc7ff0e3d1520
Opcode Fuzzy Hash: 5b5cd5ce739d53a69d2fe5b8cd22c7595ac2748d64e9c937303f4e7861c63f1d
Instruction Fuzzy Hash: 4F51E6A09047D9BDFB36463C8C45BBABEE9AB46304F088DC9E2D5578C2C2D89C9CD750

Function 00BF1097 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00BF10D6
GetKeyboardState.USER32(?), ref: 00BF10EB
SetKeyboardState.USER32(?), ref: 00BF114C
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00BF1178
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00BF1195
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00BF11D9
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00BF11FA

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 177ae788a19e8c33f999eb686687a20977112e2cb4e12eaf48e3be55b85efcaf
Instruction ID: bb82a15f2af7723417f77d7fd52e64d9b55b8f498a593c5d43a299399846dda7
Opcode Fuzzy Hash: 177ae788a19e8c33f999eb686687a20977112e2cb4e12eaf48e3be55b85efcaf
Instruction Fuzzy Hash: 0F51E8A05047D9BDFB3687788C45BBA7EE9AB06300F088DC9E3D5578C2C6949D8CE750

Function 00BF56A4 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00BF56B1
_wcsncpy.LIBCMT ref: 00BF56E6
_wcsncpy.LIBCMT ref: 00BF5718
_wcsncpy.LIBCMT ref: 00BF574B
_wcsncpy.LIBCMT ref: 00BF578D
_wcsncpy.LIBCMT ref: 00BF57C7
_wcsncpy.LIBCMT ref: 00BF57F6

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 4f715d3767bfa93afef385f5dcfd3ecbbe4b4e5502ee820a634c94e68dc6be3a
Instruction ID: 29a89b22596ef8574f73fff36405496eca47b29bd82c95ddc41f3e57d983e1ad
Opcode Fuzzy Hash: 4f715d3767bfa93afef385f5dcfd3ecbbe4b4e5502ee820a634c94e68dc6be3a
Instruction Fuzzy Hash: 0741B3A5C209187ACB11EBB498469EFB7FCAF05310F5085A6F618E3122EB74A704C3A5

Function 00C1A088 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00C1A181

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 292b389dc9bb78c3a5458a7bd58d701ffe1575614e1f53e0238fb727d28cf0a3
Instruction ID: e11e42d1e1973629785eb3699ab5319f5e039bac48186f5420ccae38d7f212a1
Opcode Fuzzy Hash: 292b389dc9bb78c3a5458a7bd58d701ffe1575614e1f53e0238fb727d28cf0a3
Instruction Fuzzy Hash: 6B41A236902244FFD710DF28CC45FEDBBA5AB0B360F254169E826A72E1C7309E81EA51

Function 00BF36B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF46AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BF36DB,?), ref: 00BF46CC

Part of subcall function 00BF46AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BF36DB,?), ref: 00BF46E5

lstrcmpiW.KERNEL32(?,?), ref: 00BF36FB
_wcscmp.LIBCMT ref: 00BF3717
MoveFileW.KERNEL32(?,?), ref: 00BF372F
_wcscat.LIBCMT ref: 00BF3777
SHFileOperationW.SHELL32(?), ref: 00BF37E3

Strings

\*.*, xrefs: 00BF3771

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: d15e3425383f8da1e02556bfe8ebd7a390652d182a03f2668a7268f249e1b5e1
Instruction ID: 98e63e9bcb89052047c7a298cf0a2b824491ffbae60be07c2e3ce9dffee9981c
Opcode Fuzzy Hash: d15e3425383f8da1e02556bfe8ebd7a390652d182a03f2668a7268f249e1b5e1
Instruction Fuzzy Hash: 55418FB2508348AAC751EF64C441AEFB7E8EF89740F4009AEB599C3161EA34D68CC756

Function 00C172C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C172DC
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C17383
IsMenu.USER32(?), ref: 00C1739B
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C173E3
DrawMenuBar.USER32 ref: 00C173F6

Strings

0, xrefs: 00C172D0

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: a31987b4d4033974b2f8c08c66d2c0d1bcf0d81a308fc4088e98f4122c7d795b
Instruction ID: 5276c7c8246619742ec119f72610d6f310800368742438d1ec10f2c2922f13a9
Opcode Fuzzy Hash: a31987b4d4033974b2f8c08c66d2c0d1bcf0d81a308fc4088e98f4122c7d795b
Instruction Fuzzy Hash: 6E412975A04209EFDB20DF50D884ADABBF9FB06354F048229ED2597260D730EE91EF90

Function 00C1102D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00C1105C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C11086
FreeLibrary.KERNEL32(00000000), ref: 00C1113D

Part of subcall function 00C1102D: RegCloseKey.ADVAPI32(?), ref: 00C110A3
Part of subcall function 00C1102D: FreeLibrary.KERNEL32(?), ref: 00C110F5
Part of subcall function 00C1102D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C11118

RegDeleteKeyW.ADVAPI32(?,?), ref: 00C110E0

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: f132791a49ddb253ad423cf6c40c37ba3e8ce3bf20cc6eb8c7b8ddc2673e245e
Instruction ID: 14992d07262cc949227a85a7218fa1d752d3149408a6329b5c93eec256dc07fb
Opcode Fuzzy Hash: f132791a49ddb253ad423cf6c40c37ba3e8ce3bf20cc6eb8c7b8ddc2673e245e
Instruction Fuzzy Hash: 4E314D71901119BFDB14CB90DC89AFEB7BCEF0A340F144169EA12A2141EB749F85AAA0

Function 00C06289 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C07EA0: inet_addr.WSOCK32(00000000), ref: 00C07ECB

socket.WSOCK32(00000002,00000001,00000006), ref: 00C062DC
WSAGetLastError.WSOCK32(00000000), ref: 00C062EB
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C06324
connect.WSOCK32(00000000,?,00000010), ref: 00C0632D
WSAGetLastError.WSOCK32 ref: 00C06337
closesocket.WSOCK32(00000000), ref: 00C06360
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C06379

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: a6b9f6a4f671f4ef487a1648d2a0307d872a1a3d521abe5a67e7a481527f5a0d
Instruction ID: 8b7c64065878b9092064aaf5f54dabda0a4e8ea2b3d88564b27a6f2a837133a9
Opcode Fuzzy Hash: a6b9f6a4f671f4ef487a1648d2a0307d872a1a3d521abe5a67e7a481527f5a0d
Instruction Fuzzy Hash: DE31AF31600218AFEF10AF64CC85BBE7BE9EB45764F04806DF919972D1DB70AD15CBA1

Function 00BE9152 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

Part of subcall function 00BEAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00BEAEC7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00BE91D6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00BE91E9
SendMessageW.USER32(?,00000189,?,00000000), ref: 00BE9219

Part of subcall function 00B97D2C: _memmove.LIBCMT ref: 00B97D66

Strings

ComboBox, xrefs: 00BE9160
ListBox, xrefs: 00BE9195
@U=u, xrefs: 00BE91D6, 00BE91E9, 00BE9219

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: @U=u$ComboBox$ListBox
API String ID: 365058703-2258501812
Opcode ID: 9f59ddca7689820f9b7a0f1a7920149bfa5a4a525d521b8e1635b62dc3e213f5
Instruction ID: 49076ca08c3245b7e8f7189b5c754c15ef24179539112edebe6f2c670cc52b6b
Opcode Fuzzy Hash: 9f59ddca7689820f9b7a0f1a7920149bfa5a4a525d521b8e1635b62dc3e213f5
Instruction Fuzzy Hash: 5221E171A44248BBDF14AB65DC89AFEB7F8EF45360B1042A9F825A71E0DB391D0A9610

Function 00BEF98F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00BEF9A2
__wcsnicmp.LIBCMT ref: 00BEF9C3
__wcsnicmp.LIBCMT ref: 00BEF9DD

Strings

#OnAutoItStartRegister, xrefs: 00BEF9D7
#requireadmin, xrefs: 00BEF9BD
#notrayicon, xrefs: 00BEF99A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: ee2c432e0e335e856439132631a4265e89ed395b9573ad5dac46fb5897d63528
Instruction ID: c9249e44cca65dac380785080d43a34c4d9831b83a1b29fbec471a0f92d7e184
Opcode Fuzzy Hash: ee2c432e0e335e856439132631a4265e89ed395b9573ad5dac46fb5897d63528
Instruction Fuzzy Hash: 872129322086A2B7D231AA269C42FFB73E8EF55750F5040B5F4CA8A192EB919D42D295

Function 00BEB4AE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00BEB4C6
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BEB4E3
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BEB51B
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00BEB541
_wcsstr.LIBCMT ref: 00BEB54B

Strings

@U=u, xrefs: 00BEB4E3, 00BEB51B

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID: @U=u
API String ID: 3902887630-2594219639
Opcode ID: bb2c567b1e474e27fc2137eb505d518ddf1aa9d0f239f422b0558caa19e5900a
Instruction ID: 379a9aec9eb57a69893ddd22e9cc9d271b0bec5956355d6bec62a9263b530166
Opcode Fuzzy Hash: bb2c567b1e474e27fc2137eb505d518ddf1aa9d0f239f422b0558caa19e5900a
Instruction Fuzzy Hash: 3721DA31604244BBEB259B3A9C49FBF7BE8DF55750F1081BDF805CA1A1EBA1DC4196A0

Function 00BE95C9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BE95E2

Part of subcall function 00B97D2C: _memmove.LIBCMT ref: 00B97D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BE9614
__itow.LIBCMT ref: 00BE962C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BE9654
__itow.LIBCMT ref: 00BE9665

Strings

@U=u, xrefs: 00BE95E2, 00BE9614, 00BE9654

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID: @U=u
API String ID: 2983881199-2594219639
Opcode ID: bf0d4af9e91e0ace35fa88c67cadd1da848e1b848015f564975dfa8cf428e99f
Instruction ID: 548ad5aa965fa26cd74af0c8cab0bf912348601fe460faa87496a3d3ea6cf2e3
Opcode Fuzzy Hash: bf0d4af9e91e0ace35fa88c67cadd1da848e1b848015f564975dfa8cf428e99f
Instruction Fuzzy Hash: 0021C831B002987FDB20AE659C89EEE7BE8EF59710F0440BAF905DB251DB708D459791

Function 00C175FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B91D73
Part of subcall function 00B91D35: GetStockObject.GDI32(00000011), ref: 00B91D87
Part of subcall function 00B91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B91D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C17664
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C17671
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C1767C
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C1768B
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C17697

Strings

Msctls_Progress32, xrefs: 00C17635

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e9406ec871dde2b81cc4012d96c99dd47a94a16c86676971b9a6d184e70a40a7
Instruction ID: 29099ea56ec55961c266fdc99d350159ad85e4b04a66a77fb5bcee4faa3382ac
Opcode Fuzzy Hash: e9406ec871dde2b81cc4012d96c99dd47a94a16c86676971b9a6d184e70a40a7
Instruction Fuzzy Hash: A811C8B115021DBFEF159F64CC85EEB7F6DEF09798F014115B604A2050C7719C61EBA0

Function 00BB4109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00BB41D2,?), ref: 00BB4123
GetProcAddress.KERNEL32(00000000), ref: 00BB412A
EncodePointer.KERNEL32(00000000), ref: 00BB4136
DecodePointer.KERNEL32(00000001,00BB41D2,?), ref: 00BB4153

Strings

combase.dll, xrefs: 00BB411E
RoInitialize, xrefs: 00BB4112

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: cf9ece5192d76d6eed2d2588364a0caa101ed1a2eb377f013a56b6db81a9d3ca
Instruction ID: 15b6bfb433031e059fe5d1c3768c982fdc9f8b2f179cbf97144c5007b31249dd
Opcode Fuzzy Hash: cf9ece5192d76d6eed2d2588364a0caa101ed1a2eb377f013a56b6db81a9d3ca
Instruction Fuzzy Hash: 09E0E578A90B80BBEF115B75EC09B9D3AA5B716B43F90C878B411E60A0CBB541828E00

Function 00BB41DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00BB40F8), ref: 00BB41F8
GetProcAddress.KERNEL32(00000000), ref: 00BB41FF
EncodePointer.KERNEL32(00000000), ref: 00BB420A
DecodePointer.KERNEL32(00BB40F8), ref: 00BB4225

Strings

RoUninitialize, xrefs: 00BB41E7
combase.dll, xrefs: 00BB41F3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: eba3f28ece20ff79ba526877f36814deb566225c71ff6ddb1d2f07f8572b1220
Instruction ID: 9e21fa402f13fdd3493b2d1f4d3c5efa7f1710cde7fa65a724f5698774f75af6
Opcode Fuzzy Hash: eba3f28ece20ff79ba526877f36814deb566225c71ff6ddb1d2f07f8572b1220
Instruction Fuzzy Hash: A8E0B674591B40ABEB109B71EC0DB9E3AA4F715783F608028F511E11F0CBB64645EA10

Function 00BF6561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BF66B4
_memmove.LIBCMT ref: 00BF65EF

Part of subcall function 00B99997: __itow.LIBCMT ref: 00B999C2
Part of subcall function 00B99997: __swprintf.LIBCMT ref: 00B99A0C

_memmove.LIBCMT ref: 00BF6662
_memmove.LIBCMT ref: 00BF6749
_memmove.LIBCMT ref: 00BF6762
_memmove.LIBCMT ref: 00BF677E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 4471e098c6c735460b4076d0a3fde8de111d28e664737dcf6c3f359277507060
Instruction ID: d6bed328426116a2a4a44da1c7ae5e47bd92f6e1de4a7e4ec5f95111241af379
Opcode Fuzzy Hash: 4471e098c6c735460b4076d0a3fde8de111d28e664737dcf6c3f359277507060
Instruction Fuzzy Hash: 97617A3061065AABCF11FF64C882EFE77E8AF44308F0445A9FE555B292DB74AD09DB50

Function 00C1026F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

Part of subcall function 00C10EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C0FE38,?,?), ref: 00C10EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C10348
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C10388
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C103AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C103D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C10417
RegCloseKey.ADVAPI32(00000000), ref: 00C10424

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 6194660c10154218682d70039bb8a5a3adb8d191f0397ebc23ea322087ddc1a7
Instruction ID: 827bd654886fed33fc360346629522fd051e7651e90faac8a8a26668f6aadea8
Opcode Fuzzy Hash: 6194660c10154218682d70039bb8a5a3adb8d191f0397ebc23ea322087ddc1a7
Instruction Fuzzy Hash: FB517C31208200AFCB14EF54C885EAFBBE8FF8A314F14496DF595872A1DB71EA45DB52

Function 00C15802 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00C15864
GetMenuItemCount.USER32(00000000), ref: 00C1589B
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C158C3
GetMenuItemID.USER32(?,?), ref: 00C15932
GetSubMenu.USER32(?,?), ref: 00C15940
PostMessageW.USER32(?,00000111,?,00000000), ref: 00C15991

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 8e367d3652c62828572b40779dc78aedb4efe618ff65db4e2ccb42322b22193c
Instruction ID: 13d2913ac1a6be8bac42595d2935b2e482682a547e400bde2452f97e9ee9e957
Opcode Fuzzy Hash: 8e367d3652c62828572b40779dc78aedb4efe618ff65db4e2ccb42322b22193c
Instruction Fuzzy Hash: 07515D31A00615EFDF11EFA4C845AEEB7F5EF89320F1040A9E955AB351CB70AE42DB91

Function 00BEF1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BEF218
VariantClear.OLEAUT32(00000013), ref: 00BEF28A
VariantClear.OLEAUT32(00000000), ref: 00BEF2E5
_memmove.LIBCMT ref: 00BEF30F
VariantClear.OLEAUT32(?), ref: 00BEF35C
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00BEF38A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 13b4e233eb542c76752aaf6a3ea1e1c0a7d4c902ceff8b1f74d0b45c4b824bd2
Instruction ID: c6315ef31f22107bff1e58aefdd3d43ee0ca6c7bf18cc87c165cb1e1965ad7d8
Opcode Fuzzy Hash: 13b4e233eb542c76752aaf6a3ea1e1c0a7d4c902ceff8b1f74d0b45c4b824bd2
Instruction Fuzzy Hash: EB514AB5A0024AEFCB14CF58D884AAAB7F8FF4C314B158569E959DB300D330EA11CFA4

Function 00BF2502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BF2550
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BF259B
IsMenu.USER32(00000000), ref: 00BF25BB
CreatePopupMenu.USER32 ref: 00BF25EF
GetMenuItemCount.USER32(000000FF), ref: 00BF264D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00BF267E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 2720ac3ccc4d4577838e5bceccd2bd61d7e0963c2be675c421710c021910e80e
Instruction ID: cfdbfa86c7f99c89121a96e3e61804c7c62e385672ee6b17157a84d2a5820499
Opcode Fuzzy Hash: 2720ac3ccc4d4577838e5bceccd2bd61d7e0963c2be675c421710c021910e80e
Instruction Fuzzy Hash: 08517C70A0024DABDF20CF68D988BBDBBF5FF55318F1441A9EA15DB290DB709948CB51

Function 00B91765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B92612: GetWindowLongW.USER32(?,000000EB), ref: 00B92623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00B9179A
GetWindowRect.USER32(?,?), ref: 00B917FE
ScreenToClient.USER32(?,?), ref: 00B9181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B9182C
EndPaint.USER32(?,?), ref: 00B91876

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 13eb8393b8d3301cc59778999881de410c17dffaf6330e7c289c18cc25a87902
Instruction ID: bc994923b40cd89d06914f0671ecdf2b2a2170c356bba7fc1a6ea37ff1a77eb0
Opcode Fuzzy Hash: 13eb8393b8d3301cc59778999881de410c17dffaf6330e7c289c18cc25a87902
Instruction Fuzzy Hash: 0341B070100301AFDB10DF29CCC4FBA7BE8FB5A324F144AB9FA94862A1C7709845EB61

Function 00C071B3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00C04F57,?,?,00000000,00000001), ref: 00C071C1

Part of subcall function 00C03AB6: GetWindowRect.USER32(?,?), ref: 00C03AC9

GetDesktopWindow.USER32 ref: 00C071EB
GetWindowRect.USER32(00000000), ref: 00C071F2
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C07224

Part of subcall function 00BF52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BF5363

GetCursorPos.USER32(?), ref: 00C07250
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C072AE

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 1dbc5a8cb290d037ac1070402561d2706364473f70ab750704f1249db74cd22d
Instruction ID: 9a85d650345da98b4e5d3907e36b81fb82dd28c3786387119f2283ad2bb39705
Opcode Fuzzy Hash: 1dbc5a8cb290d037ac1070402561d2706364473f70ab750704f1249db74cd22d
Instruction Fuzzy Hash: 0E31D072509309AFD724DF14C849B9FB7EAFF89314F004A29F595A7191CB30EA09CB92

Function 00BE8B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE83D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BE83E8
Part of subcall function 00BE83D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BE83F2
Part of subcall function 00BE83D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BE8401
Part of subcall function 00BE83D1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BE8408
Part of subcall function 00BE83D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BE841E

GetLengthSid.ADVAPI32(?,00000000,00BE8757), ref: 00BE8B8C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BE8B98
HeapAlloc.KERNEL32(00000000), ref: 00BE8B9F
CopySid.ADVAPI32(00000000,00000000,?), ref: 00BE8BB8
GetProcessHeap.KERNEL32(00000000,00000000,00BE8757), ref: 00BE8BCC
HeapFree.KERNEL32(00000000), ref: 00BE8BD3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ef148c89034e5e0651294b889e2f4322a558f060c862995b12312309f2c2204c
Instruction ID: 6b6a96a2c293377a7eb4dd74d421f939f51c59e7714a4e5f02a856824dc6b132
Opcode Fuzzy Hash: ef148c89034e5e0651294b889e2f4322a558f060c862995b12312309f2c2204c
Instruction Fuzzy Hash: 7F11ACB1500A04FFDB10DFA5CC09BAE7BA9FB46315F2081A8E84997250CB369A01CB60

Function 00BE88D9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00BE890A
OpenProcessToken.ADVAPI32(00000000), ref: 00BE8911
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00BE8920
CloseHandle.KERNEL32(00000004), ref: 00BE892B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BE895A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00BE896E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: f3e158e1b9f31d2da7cfae55003579bf7a628bcfd6112fc00fb1c6e585b2e79b
Instruction ID: b766dbf66bccaa1136e3cfe0408a6c3abbfee91fcfc1965854f27f06ed7c816b
Opcode Fuzzy Hash: f3e158e1b9f31d2da7cfae55003579bf7a628bcfd6112fc00fb1c6e585b2e79b
Instruction Fuzzy Hash: F1114D7650024DEBDB02CFA5DD49BEE7BA9FF09314F044168FE04A2161C7758D61AB61

Function 00BB02E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BB0313
MapVirtualKeyW.USER32(00000010,00000000), ref: 00BB031B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BB0326
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BB0331
MapVirtualKeyW.USER32(00000011,00000000), ref: 00BB0339
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BB0341

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 845fdc2ed3206279a6c5dbd324b431f5c19595bc1c6465bf001e2456f9c2e16b
Instruction ID: 74f15714674a6ca1618ad017d57e808b39dbee0e627832ba4746c8b29d36e6d2
Opcode Fuzzy Hash: 845fdc2ed3206279a6c5dbd324b431f5c19595bc1c6465bf001e2456f9c2e16b
Instruction Fuzzy Hash: 040148B0901B597DE3008F5A8C85B56FEA8FF19354F00411BA15847941C7B5A864CBE5

Function 00BF5490 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00BF54A0
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00BF54B6
GetWindowThreadProcessId.USER32(?,?), ref: 00BF54C5
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BF54D4
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BF54DE
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BF54E5

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1277f0a9aef734633691f2e79fe553b38f9e980724682ecdb8947d79f73fd754
Instruction ID: 0ee0f88d0c45477efa635213c9e33da5fb491f637fe3a3c4d575a5caee4045cb
Opcode Fuzzy Hash: 1277f0a9aef734633691f2e79fe553b38f9e980724682ecdb8947d79f73fd754
Instruction Fuzzy Hash: EFF01D32241558BBE7215BA29C0DFEF7A7CFBCBB11F00416DFA04D10A1D6A11A0286B5

Function 00BF72D9 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00BF72EC
EnterCriticalSection.KERNEL32(?,?,00BA1044,?,?), ref: 00BF72FD
TerminateThread.KERNEL32(00000000,000001F6,?,00BA1044,?,?), ref: 00BF730A
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00BA1044,?,?), ref: 00BF7317

Part of subcall function 00BF6CDE: CloseHandle.KERNEL32(00000000,?,00BF7324,?,00BA1044,?,?), ref: 00BF6CE8

InterlockedExchange.KERNEL32(?,000001F6), ref: 00BF732A
LeaveCriticalSection.KERNEL32(?,?,00BA1044,?,?), ref: 00BF7331

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 60a2b0f53e90b34eca928a6b98df50bc363535bf942d488001c60309ceee3497
Instruction ID: cbeeaaf8df11a2cc4db483d08ba94d34c4bdfb89a0bc836d26ad754c87d09ab0
Opcode Fuzzy Hash: 60a2b0f53e90b34eca928a6b98df50bc363535bf942d488001c60309ceee3497
Instruction Fuzzy Hash: C3F08936540612EBD7111B64ED4CBEF777AFF5A312B104675F602920A1CFB55817CB50

Function 00BE8C54 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BE8C5F
UnloadUserProfile.USERENV(?,?), ref: 00BE8C6B
CloseHandle.KERNEL32(?), ref: 00BE8C74
CloseHandle.KERNEL32(?), ref: 00BE8C7C
GetProcessHeap.KERNEL32(00000000,?), ref: 00BE8C85
HeapFree.KERNEL32(00000000), ref: 00BE8C8C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 7fe7abd71441eb5bb49b12590e38ba0b2084e07f5b6e6bfbab214fb3da11e52c
Instruction ID: 6179419147373a7f33ab958b611190e6bf78be47996d72c0ec96cedcefb843f2
Opcode Fuzzy Hash: 7fe7abd71441eb5bb49b12590e38ba0b2084e07f5b6e6bfbab214fb3da11e52c
Instruction Fuzzy Hash: 7AE05976104505FBD6015FE5EC0CB9DBB69FB8A7627608635F22581470CB725462DB50

Function 00C08702 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C08728
CharUpperBuffW.USER32(?,?), ref: 00C08837
VariantClear.OLEAUT32(?), ref: 00C089AF

Part of subcall function 00BF760B: VariantInit.OLEAUT32(00000000), ref: 00BF764B
Part of subcall function 00BF760B: VariantCopy.OLEAUT32(00000000,?), ref: 00BF7654
Part of subcall function 00BF760B: VariantClear.OLEAUT32(00000000), ref: 00BF7660

Strings

Incorrect Parameter format, xrefs: 00C08760, 00C08922
AUTOIT.ERROR, xrefs: 00C0883D

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: ae93c561b7f74148ca08c5a2b3d36a5ea65703c4096c773188fb9993ca2dbe75
Instruction ID: 9a3246ca2de23f0f0645e4e9543e056d45d26e2528dec5bc5f0f9ca71f2a8be7
Opcode Fuzzy Hash: ae93c561b7f74148ca08c5a2b3d36a5ea65703c4096c773188fb9993ca2dbe75
Instruction Fuzzy Hash: FA9161756083019FCB10EF29C48496AB7F4EF89754F14896DF89A8B3A2DB31D909CB52

Function 00BF2D8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BAFE06: _wcscpy.LIBCMT ref: 00BAFE29

_memset.LIBCMT ref: 00BF2E7F
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BF2EAE
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BF2F61
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00BF2F8F

Strings

0, xrefs: 00BF2E6B

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 91d3a349ddbfecc60d0b2efc510a0ede89aa1c74b6544f80f579c841066ac3dc
Instruction ID: be18f24af04b9d8a31869531ac1a63075b0115a870ba682ac1143cf09e24882c
Opcode Fuzzy Hash: 91d3a349ddbfecc60d0b2efc510a0ede89aa1c74b6544f80f579c841066ac3dc
Instruction Fuzzy Hash: 7651CF716283099FD7259F28C8816BBB7F4EF45320F140AADFA85D31A0DB60CD48C792

Function 00C19826 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C19895
ScreenToClient.USER32(00000002,00000002), ref: 00C198C8
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00C19935

Strings

@U=u, xrefs: 00C19990

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 6ac0e5b04adafe275fc021e7f5aafe21ae4bbaa839f2e66ee31eb2ee9fb94606
Instruction ID: 679bdfbfb765d8a1b83430f7e5c5a5402eeda39bffad284fbf2a30fbb2566fd7
Opcode Fuzzy Hash: 6ac0e5b04adafe275fc021e7f5aafe21ae4bbaa839f2e66ee31eb2ee9fb94606
Instruction Fuzzy Hash: A9511135A00209EFDF14DF54D890AEE7BB5FF46320F108159F8699B290D731AE91DB90

Function 00BE9AB7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF17ED: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BE9558,?,?,00000034,00000800,?,00000034), ref: 00BF1817

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00BE9B01

Part of subcall function 00BF17B8: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BE9587,?,?,00000800,?,00001073,00000000,?,?), ref: 00BF17E2

Part of subcall function 00BF170F: GetWindowThreadProcessId.USER32(?,?), ref: 00BF173A
Part of subcall function 00BF170F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00BE951C,00000034,?,?,00001004,00000000,00000000), ref: 00BF174A
Part of subcall function 00BF170F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00BE951C,00000034,?,?,00001004,00000000,00000000), ref: 00BF1760

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BE9B6E
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BE9BBB

Strings

@, xrefs: 00BE9BD3
@U=u, xrefs: 00BE9B01, 00BE9B6E, 00BE9BBB

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: d3d269dd02c7c0e184ea941b88ed02c12cdd421c5838ab5a969d62c4a709fa42
Instruction ID: 0d0646e278c4b25734ecf22c0c5a4a9139166458f7d9e49c8940c61f40007d2e
Opcode Fuzzy Hash: d3d269dd02c7c0e184ea941b88ed02c12cdd421c5838ab5a969d62c4a709fa42
Instruction Fuzzy Hash: 26414F7690021CAFDB10EFA8CC81BEEB7B8EB09300F104495FA55B7190DB706E49CB51

Function 00BED87B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BED8E3
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00BED919
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00BED92A
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00BED9AC

Strings

DllGetClassObject, xrefs: 00BED91F

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 8dccef104ed5545cc03120823b4d6c3a2d4e7cc3b79e17c4405d18e98d49abad
Instruction ID: 8a2577df465ef8f475a54b9daa2ba31d6cbcd49b695201940c30e32b01065030
Opcode Fuzzy Hash: 8dccef104ed5545cc03120823b4d6c3a2d4e7cc3b79e17c4405d18e98d49abad
Instruction Fuzzy Hash: 4D418BB6600244EFDB04CF56CCC4B9ABBE9EF46314B1181E9E9059F206D7B1DE41CBA0

Function 00BF2A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BF2AB8
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00BF2AD4
DeleteMenu.USER32(?,00000007,00000000), ref: 00BF2B1A
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C55890,00000000), ref: 00BF2B63

Strings

0, xrefs: 00BF2AAD

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 58bce660ccf80821a20d83b5f7f2d636f2926375df6bf45dbbb85eff4ecf155e
Instruction ID: 7a877e89d9420afa18fbb822d7ec43e1ef3176b5a6c37e752ba39ee67e0de8c8
Opcode Fuzzy Hash: 58bce660ccf80821a20d83b5f7f2d636f2926375df6bf45dbbb85eff4ecf155e
Instruction Fuzzy Hash: 644193702043069FDB20DF24D885B7ABBE9FF85320F1446ADFA6597292D770E909CB52

Function 00C18883 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C18910

Strings

@U=u, xrefs: 00C1895F

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: fd9c27a450e78f8e2b0cdec9929118cb0ed0cda1960523d34ea3d6856ef852ca
Instruction ID: 36888ddc8768ffb457b09c878716aa8a18127b292f86002b47f20f9c0f2a3f91
Opcode Fuzzy Hash: fd9c27a450e78f8e2b0cdec9929118cb0ed0cda1960523d34ea3d6856ef852ca
Instruction Fuzzy Hash: CA31C334609208FFEF219A54CC95BFC3765EB07360F544115FA61E62E1CF31AAC8AA52

Function 00C0D8B9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C0D8D9

Part of subcall function 00B979AB: _memmove.LIBCMT ref: 00B979F9

Strings

stdcall, xrefs: 00C0D95B
none, xrefs: 00C0D9B4
winapi, xrefs: 00C0D94A
cdecl, xrefs: 00C0D930

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: e8c8338c0276cdc81246d64488a2f5f8c667fa1ab7b401a1ee771c211b0e3c20
Instruction ID: 3449437be626e0c91b260d74f33f701dc70803ebf74f859aa15d6364ab272808
Opcode Fuzzy Hash: e8c8338c0276cdc81246d64488a2f5f8c667fa1ab7b401a1ee771c211b0e3c20
Instruction Fuzzy Hash: 8A316F70514615AFCF10EF94C8919FEB7F4FF05710B1086AAE866976E1DB71AA05CB80

Function 00B9410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BCD51C

Part of subcall function 00B97D2C: _memmove.LIBCMT ref: 00B97D66

_memset.LIBCMT ref: 00B9418D
_wcscpy.LIBCMT ref: 00B941E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B941F1

Strings

Line: , xrefs: 00BCD545

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: e760ec824cf22918f287855df69cfee7508b2b706a97a7017a4396c1aee05a16
Instruction ID: 3a3f78506b87d2370337c28637fb2d3f77e34604476c7c2658fb439a5453c524
Opcode Fuzzy Hash: e760ec824cf22918f287855df69cfee7508b2b706a97a7017a4396c1aee05a16
Instruction Fuzzy Hash: D531CD71008714ABDB21EB60DC46FEF77E8AF44300F1049BEF185A20A1EF70A689C796

Function 00C01943 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C01962
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C01988
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C019B8
InternetCloseHandle.WININET(00000000), ref: 00C019FF

Part of subcall function 00C02599: GetLastError.KERNEL32(?,?,00C0192D,00000000,00000000,00000001), ref: 00C025AE
Part of subcall function 00C02599: SetEvent.KERNEL32(?,?,00C0192D,00000000,00000000,00000001), ref: 00C025C3

Strings

, xrefs: 00C019A9

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9032e0af525ec8af3dadece92e9e4b915174094f45d0039ba24a0b6e49deaa8f
Instruction ID: 49b950628376239a0c6ba16c1b57e93856f4cc2547e071f90dd4f7e6218406b3
Opcode Fuzzy Hash: 9032e0af525ec8af3dadece92e9e4b915174094f45d0039ba24a0b6e49deaa8f
Instruction Fuzzy Hash: D3218EB2600208BFEB219F60DC95FBFB6ECFB49754F14411EF90597280EA649E05A6A1

Function 00C16419 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B91D73
Part of subcall function 00B91D35: GetStockObject.GDI32(00000011), ref: 00B91D87
Part of subcall function 00B91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B91D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C16493
LoadLibraryW.KERNEL32(?), ref: 00C1649A
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C164AF
DestroyWindow.USER32(?), ref: 00C164B7

Strings

SysAnimate32, xrefs: 00C1646E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: ba37eaa4b68a0318eead0bb3144b52481416c4865c531597ac6cf5894e638ad8
Instruction ID: b6df00c4f78729832d8b395d486977211564f36bfe965aff87546635c9b63394
Opcode Fuzzy Hash: ba37eaa4b68a0318eead0bb3144b52481416c4865c531597ac6cf5894e638ad8
Instruction Fuzzy Hash: 80219D72600215ABEF10CE64EC80FFB37A9EF5A368F108629FA6492190D771DC91B760

Function 00BF6E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00BF6E65
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BF6E98
GetStdHandle.KERNEL32(0000000C), ref: 00BF6EAA
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00BF6EE4

Strings

nul, xrefs: 00BF6EDF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 6656dc3bc16ec9c4f1f358832167b77b107aca2f3be762063ca7e3dd2deab879
Instruction ID: 940fd633513a37f9891de5c21d6c4bbbb83ff5694908524b6cb7e2891c74d25c
Opcode Fuzzy Hash: 6656dc3bc16ec9c4f1f358832167b77b107aca2f3be762063ca7e3dd2deab879
Instruction Fuzzy Hash: A221517A60020AABDB209F29DC45BAE77F4FF55720F204669FEA0D72D0DB709859CB50

Function 00BF6F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00BF6F32
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BF6F64
GetStdHandle.KERNEL32(000000F6), ref: 00BF6F75
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00BF6FAF

Strings

nul, xrefs: 00BF6FAA

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ae32de70a0d534f96dca3804f7c679a8f4f7ad290c0a5b298ab1d89e572812a7
Instruction ID: 6efefe32730937231121be3cdacb3e72eaf5c7d7d3f22dd64c03094fcf0b65ab
Opcode Fuzzy Hash: ae32de70a0d534f96dca3804f7c679a8f4f7ad290c0a5b298ab1d89e572812a7
Instruction Fuzzy Hash: 42219075A04209ABDB209F68EC44BAD77E8FF45320F2046A9FEA1D72D0D77098498B60

Function 00BFACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BFACDE
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00BFAD32
__swprintf.LIBCMT ref: 00BFAD4B
SetErrorMode.KERNEL32(00000000,00000001,00000000,00C1F910), ref: 00BFAD89

Strings

%lu, xrefs: 00BFAD45

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 43b08df79095e94e180f1df145cd6605251d7dca3bfaeac35aa19ae99d2d18a0
Instruction ID: e7bfe0066b429e53924c8018e9ab3e28a12c5acd6ec723bf5d7ca223d163f1f5
Opcode Fuzzy Hash: 43b08df79095e94e180f1df145cd6605251d7dca3bfaeac35aa19ae99d2d18a0
Instruction Fuzzy Hash: D3213075A00109AFCB10EF69C985EEE77F8EF49704B1040B9F509AB252DB71EA45CB61

Function 00BEA30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97D2C: _memmove.LIBCMT ref: 00B97D66

Part of subcall function 00BEA15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00BEA179
Part of subcall function 00BEA15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BEA18C
Part of subcall function 00BEA15C: GetCurrentThreadId.KERNEL32 ref: 00BEA193
Part of subcall function 00BEA15C: AttachThreadInput.USER32(00000000), ref: 00BEA19A

GetFocus.USER32 ref: 00BEA334

Part of subcall function 00BEA1A5: GetParent.USER32(?), ref: 00BEA1B3

GetClassNameW.USER32(?,?,00000100), ref: 00BEA37D
EnumChildWindows.USER32(?,00BEA3F5), ref: 00BEA3A5
__swprintf.LIBCMT ref: 00BEA3BF

Strings

%s%d, xrefs: 00BEA3B9

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: deea5e20725853625852588296cd3c6c64ad6f885d65a921d7b973b9ae1dcf84
Instruction ID: 68f35b01192198765e820d836f5461091a4bba9a0f71f05382cb9f36e40a4642
Opcode Fuzzy Hash: deea5e20725853625852588296cd3c6c64ad6f885d65a921d7b973b9ae1dcf84
Instruction Fuzzy Hash: CA1172716002497BDF11BF61DC85FEA77FCEF46710F0080B9B908AA192CB7069469B76

Function 00C0EC69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C0ED1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C0ED4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C0EE7E
CloseHandle.KERNEL32(?), ref: 00C0EEFF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 241033a0598839471ebf448267976a5866eb85ed1be1d02a877ef7a64e5a0b13
Instruction ID: 17819d73395616b2939743faca7efe5e79a9bdf5d63759188838e07c0c684da7
Opcode Fuzzy Hash: 241033a0598839471ebf448267976a5866eb85ed1be1d02a877ef7a64e5a0b13
Instruction Fuzzy Hash: 7D817E716407119FDB20EF28C886B2EB7E5EF48B10F04886DF999DB2D2DA70AD00CB51

Function 00BB558D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BB55EB
_memcpy_s.LIBCMT ref: 00BB565D
__read_nolock.LIBCMT ref: 00BB56BB
__filbuf.LIBCMT ref: 00BB56DE
_memset.LIBCMT ref: 00BB5722

Part of subcall function 00BB8CA8: __getptd_noexit.LIBCMT ref: 00BB8CA8

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
Instruction ID: a79ad7b33080e144ad63e596b80c8c8ed4b030471698bee4eee2124c6f804571
Opcode Fuzzy Hash: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
Instruction Fuzzy Hash: 61519370A00B05DBDB349F69C8847FE77E6EF54320F2486A9E826962D0DBF19D508B52

Function 00C100C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

Part of subcall function 00C10EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C0FE38,?,?), ref: 00C10EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C10188
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C101C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C1020E
RegCloseKey.ADVAPI32(?,?), ref: 00C1023A
RegCloseKey.ADVAPI32(00000000), ref: 00C10247

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 75feadacc330c3f3848555f13b987c66a8905f8e965c12a723b149a13c016094
Instruction ID: 4266b80c9328b26f96507cb739043a5d4271788ca904a75a778796f6f2c09ccf
Opcode Fuzzy Hash: 75feadacc330c3f3848555f13b987c66a8905f8e965c12a723b149a13c016094
Instruction Fuzzy Hash: 79515B31208204AFD704EF94CC85FAEB7E8FF89304F14896DB596872A1DB74E945DB52

Function 00C0D9DC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B99997: __itow.LIBCMT ref: 00B999C2
Part of subcall function 00B99997: __swprintf.LIBCMT ref: 00B99A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C0DA3B
GetProcAddress.KERNEL32(00000000,?), ref: 00C0DABE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C0DADA
GetProcAddress.KERNEL32(00000000,?), ref: 00C0DB1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C0DB35

Part of subcall function 00B95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF793F,?,?,00000000), ref: 00B95B8C
Part of subcall function 00B95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BF793F,?,?,00000000,?,?), ref: 00B95BB0

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: e93a8d1fa8d49b8d377f4de2adbc433e07107b056269a2120acb57b2fd7c1c69
Instruction ID: 8d8b7c65e205d6cae0659e01e3aed18f6fb524f6bd40f8b9bc4b48683b304345
Opcode Fuzzy Hash: e93a8d1fa8d49b8d377f4de2adbc433e07107b056269a2120acb57b2fd7c1c69
Instruction Fuzzy Hash: 59510835A04205DFCB11EFA8C4849ADB7F4FF59310B15C0A9E81AAB362DB31AE45CB91

Function 00BFE5FD Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00BFE6AB
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00BFE6D4
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00BFE713

Part of subcall function 00B99997: __itow.LIBCMT ref: 00B999C2
Part of subcall function 00B99997: __swprintf.LIBCMT ref: 00B99A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00BFE738
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00BFE740

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 30f921baf5b3c4ae6efb7f1e01903ff3e4f428bc454b9c71e439d5dad4472030
Instruction ID: 4bf9c5ebdfc883883caca41cfc8d9eb05bb99ad68387ca1989dd87d72da0318d
Opcode Fuzzy Hash: 30f921baf5b3c4ae6efb7f1e01903ff3e4f428bc454b9c71e439d5dad4472030
Instruction Fuzzy Hash: 05511A35600619DFCF01EF64C981AAEBBF5FF09314B1480A9E949AB362CB31ED11DB50

Function 00B92344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B92357
ScreenToClient.USER32(00C557B0,?), ref: 00B92374
GetAsyncKeyState.USER32(00000001), ref: 00B92399
GetAsyncKeyState.USER32(00000002), ref: 00B923A7

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 421d3f906cfc270199205d27381a46210a365eb6cf704a49bfccfab7e242dec6
Instruction ID: 463e4704564c1758850690d0d406723906d542bfc0996b5ba8a0b72bedbda20f
Opcode Fuzzy Hash: 421d3f906cfc270199205d27381a46210a365eb6cf704a49bfccfab7e242dec6
Instruction Fuzzy Hash: D4418175908105FFCF159F65C844FEDBBB4FB05360F2043AAF829A2291C734A990DBA4

Function 00BE6700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BE673D
TranslateAcceleratorW.USER32(?,?,?), ref: 00BE6789
TranslateMessage.USER32(?), ref: 00BE67B2
DispatchMessageW.USER32(?), ref: 00BE67BC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BE67CB

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 3305e88f1d28e37964ffdb5a9d3d575ba7177d4da9cb5e093985bfccee59f505
Instruction ID: 2978a306917a9f99dc30e4da8737b725c024ba005201afc9f5ef4264227581d4
Opcode Fuzzy Hash: 3305e88f1d28e37964ffdb5a9d3d575ba7177d4da9cb5e093985bfccee59f505
Instruction Fuzzy Hash: D431E6709006869FDB20CFB28C54FBA7BECEB25389F1441A9E821D30A1E734A885D750

Function 00BE8CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BE8CF2
PostMessageW.USER32(?,00000201,00000001), ref: 00BE8D9C
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00BE8DA4
PostMessageW.USER32(?,00000202,00000000), ref: 00BE8DB2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00BE8DBA

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 11910adedd9b46ad0ec0a0f7ce483670f0daff681dcc371b9832f7bde8372595
Instruction ID: 267f9f71e591433ff41452ec86008a4955843feb53551c1f1e14de8e1d04ef1e
Opcode Fuzzy Hash: 11910adedd9b46ad0ec0a0f7ce483670f0daff681dcc371b9832f7bde8372595
Instruction Fuzzy Hash: 2731DA31500659EFDB00CFA9DD48BEE3BB5FB15325F108269F929AA2D0CBB09910CB90

Function 00C1B17F Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00B92612: GetWindowLongW.USER32(?,000000EB), ref: 00B92623

GetWindowLongW.USER32(?,000000F0), ref: 00C1B1C6
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00C1B1EB
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C1B203
GetSystemMetrics.USER32(00000004), ref: 00C1B22C
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C00FA5,00000000), ref: 00C1B24A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 7bae5da7c598ac5393c348aa51d8c88cf9147079f80bf177368cd03a44edf6be
Instruction ID: ad1bd202a5d1b31337ddee0346a41fcd8196ec91702de1fcb3e715d08f989d3b
Opcode Fuzzy Hash: 7bae5da7c598ac5393c348aa51d8c88cf9147079f80bf177368cd03a44edf6be
Instruction Fuzzy Hash: 9E218271914615AFCB149F398C04BEE37A4FB06321F218738B935D21E0E7309D95AF90

Function 00B912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B9134D
SelectObject.GDI32(?,00000000), ref: 00B9135C
BeginPath.GDI32(?), ref: 00B91373
SelectObject.GDI32(?,00000000), ref: 00B9139C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b981a023ee337e08398284d5003cce4f70a2d5aac352bc37702f2d7ea6f9c788
Instruction ID: 5c06ff72f76a6d3c061a300cd9db399f8c82fedffe0ea011e179430d0789929d
Opcode Fuzzy Hash: b981a023ee337e08398284d5003cce4f70a2d5aac352bc37702f2d7ea6f9c788
Instruction Fuzzy Hash: A7214834844709EFDF108F29DC54BAD7BF8FB10322F1486AAE811A61E0D3719992EF94

Function 00BF4B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BF4B61
__beginthreadex.LIBCMT ref: 00BF4B7F
MessageBoxW.USER32(?,?,?,?), ref: 00BF4B94
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00BF4BAA
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00BF4BB1

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 123b413d6b191cdde5dcb30ea81c23a740f65b0a923530285da4567acde79206
Instruction ID: 0a032778ae5acc9ea43bef783be41cdaa7d908c16b639f1e00a413bf7d5f2d23
Opcode Fuzzy Hash: 123b413d6b191cdde5dcb30ea81c23a740f65b0a923530285da4567acde79206
Instruction Fuzzy Hash: 6211E576904609BBC7119BA89C44BEF7FECEB45321F1442A9FA14E3262D7B1C94587A0

Function 00BE852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BE8546
GetLastError.KERNEL32(?,00BE800A,?,?,?), ref: 00BE8550
GetProcessHeap.KERNEL32(00000008,?,?,00BE800A,?,?,?), ref: 00BE855F
HeapAlloc.KERNEL32(00000000,?,00BE800A,?,?,?), ref: 00BE8566
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BE857D

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 9c59fc91615a281193c700fe01c24d65f77cb590fe81a70273f15d10a46a57b9
Instruction ID: fe154d2bd0c191a60b1bc95ec81bc59957b762b02d1af17d467f80ebb7875415
Opcode Fuzzy Hash: 9c59fc91615a281193c700fe01c24d65f77cb590fe81a70273f15d10a46a57b9
Instruction Fuzzy Hash: 5A012871240244BFDB214FA6EC48AAF7BACFF9A355B14457AF849C2220DB328D01CA60

Function 00BF52EB Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BF5307
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00BF5315
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BF531D
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00BF5327
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BF5363

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 7c2a2ca8415d5d7a8d0c54c313422ea8ed681a53c39bddc0b18309c9c508a9c1
Instruction ID: bf25475cb977f22195699e0acf06979507757bfb4f3daaa72e1aacfef5c7e5ff
Opcode Fuzzy Hash: 7c2a2ca8415d5d7a8d0c54c313422ea8ed681a53c39bddc0b18309c9c508a9c1
Instruction Fuzzy Hash: 82015B31C01A1DEBCF109FA8E888BEDBBB8FB09311F054599EA42B3140CB70555587A5

Function 00BE7432 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BE736C,80070057,?,?,?,00BE777D), ref: 00BE744F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BE736C,80070057,?,?), ref: 00BE746A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BE736C,80070057,?,?), ref: 00BE7478
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BE736C,80070057,?), ref: 00BE7488
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BE736C,80070057,?,?), ref: 00BE7494

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 5f704848c3867fd3168d6f9d654865f56ddfc4268d89f1f11fdf5ee5be00f6b5
Instruction ID: 472985cba7b1600de196b5e3d131e3e7cf88c249d1292ec9303352d4a98d77ee
Opcode Fuzzy Hash: 5f704848c3867fd3168d6f9d654865f56ddfc4268d89f1f11fdf5ee5be00f6b5
Instruction Fuzzy Hash: CF017176601205BBEB109F65DC44BAE7FFDEB45752F148068F908D2260EB71DD419BA0

Function 00BE83D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BE83E8
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BE83F2
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BE8401
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BE8408
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BE841E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4827dac38ff4331ab766bc8c23bca00293db84d7d637a7d7a1b422b2df681055
Instruction ID: 52f20110ab149472e070d854ea1cc530a167e41233aa316a92f0e11be9d48d28
Opcode Fuzzy Hash: 4827dac38ff4331ab766bc8c23bca00293db84d7d637a7d7a1b422b2df681055
Instruction Fuzzy Hash: A8F0AF70204205BFEB105FA5DC88FAF3BACFF8A754B104129F949C6290CB609C42DA60

Function 00BE8432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BE8449
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BE8453
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BE8462
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BE8469
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BE847F

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 45a829aa69476e08838e36e8f18aee2fe5de292108c52318a5af2350c70f7325
Instruction ID: 0bee78b756951949bf31ba23dbff18475ee24f47ecc9e0fe193198f5ebfc688e
Opcode Fuzzy Hash: 45a829aa69476e08838e36e8f18aee2fe5de292108c52318a5af2350c70f7325
Instruction Fuzzy Hash: 7AF0AF70200205BFEB111FA5EC88FAF3BACFF4A754B144129F949C3290CB609902DB60

Function 00BEC4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00BEC4B9
GetWindowTextW.USER32(00000000,?,00000100), ref: 00BEC4D0
MessageBeep.USER32(00000000), ref: 00BEC4E8
KillTimer.USER32(?,0000040A), ref: 00BEC504
EndDialog.USER32(?,00000001), ref: 00BEC51E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 334e743f8381ec2694f1d179fec518460c5f80def8f535589640a48bc35ec350
Instruction ID: 8ec997f400c59b6b7f241ae913f687aba5813f4ec42e435143df597cb614d831
Opcode Fuzzy Hash: 334e743f8381ec2694f1d179fec518460c5f80def8f535589640a48bc35ec350
Instruction Fuzzy Hash: 5301A230500744ABEB215F21DC4EBAA7BF8FF01705F0042ADF582A10E0DBE0A9568A80

Function 00B913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00B913BF
StrokeAndFillPath.GDI32(?,?,00BCBA08,00000000,?), ref: 00B913DB
SelectObject.GDI32(?,00000000), ref: 00B913EE
DeleteObject.GDI32 ref: 00B91401
StrokePath.GDI32(?), ref: 00B9141C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 911d2d659a69da0d1d83f2d5cf86d302bdebd8da5b09086c9e3e3bffeb02a1fa
Instruction ID: 3272deccdbff076b093d4d2a7fced0feefa160cf37299863c31c1e8064b8359d
Opcode Fuzzy Hash: 911d2d659a69da0d1d83f2d5cf86d302bdebd8da5b09086c9e3e3bffeb02a1fa
Instruction Fuzzy Hash: 06F0B634044B09ABDB119F2AEC5979C3FE4F725326F18C268E46A592F1C7314996EF50

Function 00BFC423 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BFC4BE
CoCreateInstance.OLE32(00C22D6C,00000000,00000001,00C22BDC,?), ref: 00BFC4D6

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

CoUninitialize.OLE32 ref: 00BFC743

Strings

.lnk, xrefs: 00BFC452, 00BFC47A, 00BFC484

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: c36310da9fe167ea035de13623cd703003b0485922038c2fed2977c5dd5214c2
Instruction ID: 5fa21f4fac6e0ecb3e27482031040b73e5293ade5bbd8f20fcbc3098aa4bfc8b
Opcode Fuzzy Hash: c36310da9fe167ea035de13623cd703003b0485922038c2fed2977c5dd5214c2
Instruction Fuzzy Hash: 1CA12971118205AFD740EF68C891EAFB7E8FF95704F0049ACF156971A2EB70EA49CB52

Function 00BA2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00BB0F36: std::exception::exception.LIBCMT ref: 00BB0F6C
Part of subcall function 00BB0F36: __CxxThrowException@8.LIBCMT ref: 00BB0F81

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

Part of subcall function 00B97BB1: _memmove.LIBCMT ref: 00B97C0B

__swprintf.LIBCMT ref: 00BA302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00BA2EC6

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 0241b3c3afe2771cf7d711071457b08cc0838cd7058d16f9e8d66bf6c8db1c8b
Instruction ID: f6584abc924f955a53ab358f428dd546ac4fa61556f8f7a8ff08b84e65f5fbd0
Opcode Fuzzy Hash: 0241b3c3afe2771cf7d711071457b08cc0838cd7058d16f9e8d66bf6c8db1c8b
Instruction Fuzzy Hash: 02916D711186019FCB24EF24D895D7FB7E4EF95710F0449AEF482972A1EA70EE44CB52

Function 00BFB9C7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B948A1,?,?,00B937C0,?), ref: 00B948CE

CoInitialize.OLE32(00000000), ref: 00BFBA47
CoCreateInstance.OLE32(00C22D6C,00000000,00000001,00C22BDC,?), ref: 00BFBA60
CoUninitialize.OLE32 ref: 00BFBA7D

Part of subcall function 00B99997: __itow.LIBCMT ref: 00B999C2
Part of subcall function 00B99997: __swprintf.LIBCMT ref: 00B99A0C

Strings

.lnk, xrefs: 00BFBA29, 00BFBA37

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 1c351f4666a5d97492f102689c4a834bbd64166c2f33b8fe2325acb4bdc01178
Instruction ID: 26d157d5f6811ab69c0ce5acac26216d8a5cdc08dba1dfcfc849573837bb7d67
Opcode Fuzzy Hash: 1c351f4666a5d97492f102689c4a834bbd64166c2f33b8fe2325acb4bdc01178
Instruction Fuzzy Hash: 4AA123756043059FCB10DF14C884E6ABBE5FF89314F148998F99A9B3A2CB31ED49CB91

Function 00BB518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00BB521D

Part of subcall function 00BC0270: __87except.LIBCMT ref: 00BC02AB

Strings

pow, xrefs: 00BB51F5, 00BB5212

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 7ac925eac6f2b4c49c3d4cce6745be6cf698f7f3246631f9f12bbdbeb6df957c
Instruction ID: eec4181bb17c21eb6b1d1f5794beec7ff1d46ef59556a31560829a233ebcf5f1
Opcode Fuzzy Hash: 7ac925eac6f2b4c49c3d4cce6745be6cf698f7f3246631f9f12bbdbeb6df957c
Instruction Fuzzy Hash: B5515A60A2D601D7DB317724C9817BE2BD4EB40710F244DDCE096862E5EFB48CC59A4B

Function 00BB017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00BB01C0
+, xrefs: 00BB01B7

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: dab3ac325b3f8a3597b05e4e090a04ee9a8042c65bcdee1162b400611993f42c
Instruction ID: e4d1c68db6150ccc3c42655cc57fb24c6c88dbbc182d4b259ac2604ebd801e38
Opcode Fuzzy Hash: dab3ac325b3f8a3597b05e4e090a04ee9a8042c65bcdee1162b400611993f42c
Instruction Fuzzy Hash: 38510F7550528A9FDF25EF29C884AFABBE4EF19310F1440E5FC919B2A0D770AC46CB60

Function 00BA62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BA63A8
_memmove.LIBCMT ref: 00BA6444
_memset.LIBCMT ref: 00BA6468

Strings

ERCP, xrefs: 00BA6313

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: da77fa5e7d0ee94b4d57f91e1796fcf68bc577eb0a48399e1b3ff1c2247bec6f
Instruction ID: 1dd90f255179c9b33a9e03af0f3f0a9f65e4e820a7ebea25795faafc1905b569
Opcode Fuzzy Hash: da77fa5e7d0ee94b4d57f91e1796fcf68bc577eb0a48399e1b3ff1c2247bec6f
Instruction Fuzzy Hash: 1E51A1B1904319DBDB24CF59C9817AAB7F4FF09314F2489AEE44ACB241E770EA85CB40

Function 00BCC585 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001308,?), ref: 00BCC5BB

Part of subcall function 00B925DB: GetWindowLongW.USER32(?,000000EB), ref: 00B925EC

ImageList_Remove.COMCTL32(?,?,?), ref: 00BCC5F4
SendMessageW.USER32(?,0000133D,?,00000002), ref: 00BCC6C2

Strings

@U=u, xrefs: 00BCC5BB, 00BCC6C2

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$ImageList_LongRemoveWindow
String ID: @U=u
API String ID: 558398095-2594219639
Opcode ID: 8ae8d5c424ca7c8636c52645887c23e587da083688acf836e6b548478bb5889b
Instruction ID: da7aa46acc79e5a4b702a854bd167f2b161dc050d9443fc837095cf2c35cdb8a
Opcode Fuzzy Hash: 8ae8d5c424ca7c8636c52645887c23e587da083688acf836e6b548478bb5889b
Instruction Fuzzy Hash: F2412E346042519FCB55CF28C594BA9BBE1FF19300F4845FDE4DE8B263CB21A986DB51

Function 00C17978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C1F910,00000000,?,?,?,?), ref: 00C17A11
GetWindowLongW.USER32 ref: 00C17A2E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C17A3E

Strings

SysTreeView32, xrefs: 00C179E3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 9ce7ae91442482d39ad75cba47b8732506be8600722965a94f80f40ada9d5f1e
Instruction ID: 4c2510446c913d7dc0124b582bc8fd47da193cc9cb5965a1d2d5148a4099fd20
Opcode Fuzzy Hash: 9ce7ae91442482d39ad75cba47b8732506be8600722965a94f80f40ada9d5f1e
Instruction Fuzzy Hash: 2631AE31604605ABDF118F38CC41BEA7BA9FF0A334F244725F875922E0D731AA91AB50

Function 00C1740B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C17493
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C174A7
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C174CB

Strings

SysMonthCal32, xrefs: 00C1745E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 8d94d348348cb6c463b1a72caa2b3c997e7d1d3fdf4024b5fa7530a2cf24cf93
Instruction ID: b159dd308f72985df43f0ed9f2ef0ff07c03e9e512fcacfaf7a73db071db7bb5
Opcode Fuzzy Hash: 8d94d348348cb6c463b1a72caa2b3c997e7d1d3fdf4024b5fa7530a2cf24cf93
Instruction Fuzzy Hash: 3821BF32500219ABDF218F94DC42FEA3BB9FF49724F110254FE546B190DA75A891DBA0

Function 00C16CE2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C16D6D
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C16D7D
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C16DA2

Strings

Listbox, xrefs: 00C16D3A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 35b76a25f0d0b1559d0043663364cb42bb5cb4a10adf813ba2acaa2de39b0b11
Instruction ID: a1c572669fa6ba6430b925bee5dbe13431b908aed67a758667082438aab67383
Opcode Fuzzy Hash: 35b76a25f0d0b1559d0043663364cb42bb5cb4a10adf813ba2acaa2de39b0b11
Instruction Fuzzy Hash: B5219532610118BFDF119F54EC45FFB37BAEF8A754F118128F91597190C6719C92A7A0

Function 00BE8F0D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00BE8F2F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BE8F46
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00BE8F7E

Strings

@U=u, xrefs: 00BE8F7E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 1d0c46bed61a1e0186b73ac8c0e8047e9963d9b6fbfea7f4c6a1681e33746889
Instruction ID: 8b875cd15887b737cf9d9ce1ce9684e32384d9ebb8bb32661ddd572ad2bd816b
Opcode Fuzzy Hash: 1d0c46bed61a1e0186b73ac8c0e8047e9963d9b6fbfea7f4c6a1681e33746889
Instruction Fuzzy Hash: 75219F32600508BFDF20DBA9DD41AAEF7FEEF54350F1004AAF508E3260DB71AD409A90

Function 00C17740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C177A4
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C177B9
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C177C6

Strings

msctls_trackbar32, xrefs: 00C1777B

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 04ec26c4aeea01657908c1965307b0d61f5067de7565d7d95cee76f8beb41147
Instruction ID: 103d780a985a6fa9411e115b6d1debc94857fdc77741bac51f7a3be20df391ad
Opcode Fuzzy Hash: 04ec26c4aeea01657908c1965307b0d61f5067de7565d7d95cee76f8beb41147
Instruction Fuzzy Hash: 3111E732254208BBDF155F64CC45FEB37B9EF89764F014628F651A60D0D671A851EB60

Function 00C16952 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00C169D4
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C169E3

Strings

edit, xrefs: 00C169B8
@U=u, xrefs: 00C169E3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 315526ad97b0cf7c1609f95073392314b028dbfbe544933681d783a6ea702987
Instruction ID: 58a5582e15f0e5c098d621ce38d9be39a356a9b2e4df0d8d6eba5cc7e6514569
Opcode Fuzzy Hash: 315526ad97b0cf7c1609f95073392314b028dbfbe544933681d783a6ea702987
Instruction Fuzzy Hash: D4113D71500208ABEF109E64DC54AFB3B69EF06368F504768F9B5971D0C7359C91AB60

Function 00BE90C7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

Part of subcall function 00BEAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00BEAEC7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00BE9135

Strings

ComboBox, xrefs: 00BE90D4
ListBox, xrefs: 00BE90FF
@U=u, xrefs: 00BE9135

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: be997c5189f164a4be3886775c4b8dd9fde501c23cd79ae9cb0cdf33a57e3f9f
Instruction ID: cbd8b18a781508810ee17eaca368d1acbedc34c78f9e2dd8a94df5fae6760c4e
Opcode Fuzzy Hash: be997c5189f164a4be3886775c4b8dd9fde501c23cd79ae9cb0cdf33a57e3f9f
Instruction Fuzzy Hash: 3001F131645259ABCF04EBA5CC959FE73E9FF06320B2006A9F832672D2DF35680C9750

Function 00BE8FBF Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

Part of subcall function 00BEAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00BEAEC7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00BE902D

Strings

ComboBox, xrefs: 00BE8FCC
ListBox, xrefs: 00BE8FF7
@U=u, xrefs: 00BE902D

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 56f433e8f8ba2ab907a4a441f95806c5dc9bb706d505d5d75f646ba3dd292fca
Instruction ID: aa52798439b6da411aa6ffa13523c4e3146bba9c23d3c5a58c3d10572eb6d54d
Opcode Fuzzy Hash: 56f433e8f8ba2ab907a4a441f95806c5dc9bb706d505d5d75f646ba3dd292fca
Instruction Fuzzy Hash: 5701D471A45248ABCF14E7A1C896EFE73E8DF05300F2401A9B80267292DF255E0C92A1

Function 00BE9044 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

Part of subcall function 00BEAEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00BEAEC7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00BE90B0

Strings

ComboBox, xrefs: 00BE9051
ListBox, xrefs: 00BE907C
@U=u, xrefs: 00BE90B0

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: a05d458255d2241403fb45437d77bb5065cbda3b899cf52aadd9a7a82049c287
Instruction ID: 24b389ee4bace75360b7d9660d98d40a8b5a8bfee2e93a7554cda111d925bdee
Opcode Fuzzy Hash: a05d458255d2241403fb45437d77bb5065cbda3b899cf52aadd9a7a82049c287
Instruction Fuzzy Hash: AA01D671A85248ABCF14E7A5CD86EFE73ECDF05300F6401A57812B3292DF255E0C92B2

Function 00C1AD01 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00C557B0,00C1D873,000000FC,?,00000000,00000000,?,?,?,00BCBAE9,?,?,?,?,?), ref: 00C1AD03
GetFocus.USER32 ref: 00C1AD0B

Part of subcall function 00B92612: GetWindowLongW.USER32(?,000000EB), ref: 00B92623

Part of subcall function 00B925DB: GetWindowLongW.USER32(?,000000EB), ref: 00B925EC

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 00C1AD7D

Strings

@U=u, xrefs: 00C1AD7D

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: 4246dcbf648342ba2f5da5ebbf8bb9d059393391e7e28ea98e25d2c28633e24f
Instruction ID: 6f8886d25da59a18701f4ba501bd5c4d7a99b89f8374803df747821424259dc0
Opcode Fuzzy Hash: 4246dcbf648342ba2f5da5ebbf8bb9d059393391e7e28ea98e25d2c28633e24f
Instruction Fuzzy Hash: 7B019635601A009FC714EB28E894BA937E6FB8A325B18427DE425873B1CB316C96CB90

Function 00BA61C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BA61B1

SendMessageW.USER32(?,0000000C,00000000,?), ref: 00BA61DF
GetParent.USER32(?), ref: 00BE109C
InvalidateRect.USER32(00000000,?,00BA3BAF,?,00000000,00000001), ref: 00BE10A3

Strings

@U=u, xrefs: 00BA61DF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: 18f068be6b0ee4cf0b91ad06176e28cb2d4e21644bf61aed713e8730228165f3
Instruction ID: 3fb49659e357fb354c5bb9b314275b0c7718ee9b7dc5595b94fdd1331c34bda4
Opcode Fuzzy Hash: 18f068be6b0ee4cf0b91ad06176e28cb2d4e21644bf61aed713e8730228165f3
Instruction Fuzzy Hash: EFF0A071104244FBEF201F60DC09FA97FE8FB17340F28A4BAF541AA0B2C6B25C55AB50

Function 00B94C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B94C2E), ref: 00B94CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B94CB5

Strings

GetNativeSystemInfo, xrefs: 00B94CAF
kernel32.dll, xrefs: 00B94C9E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: dfb580aab5f35c31c46437a28c0982ccb984ca78ec42594ad8e2119dc190780d
Instruction ID: e4c0601bda976a7fc1ce4bfb0a07aef3e37f0dbc22a906e686a80db924cef30d
Opcode Fuzzy Hash: dfb580aab5f35c31c46437a28c0982ccb984ca78ec42594ad8e2119dc190780d
Instruction Fuzzy Hash: FCD01731514723DFDB209F31DA18B8A76E5FF06791B21C87E988AD6250E7B4D8C2CA50

Function 00B94D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B94CE1,?), ref: 00B94DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B94DB4

Strings

kernel32.dll, xrefs: 00B94D9D
Wow64RevertWow64FsRedirection, xrefs: 00B94DAE

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: e5d0311dc610008e8fcc34f9c289bc70e513b9b3444c4ea78405d164ddaa7561
Instruction ID: 3ee2c89444d96d4347c9de73a87f26aaf0e399a0a44d6d7de77e538464801842
Opcode Fuzzy Hash: e5d0311dc610008e8fcc34f9c289bc70e513b9b3444c4ea78405d164ddaa7561
Instruction Fuzzy Hash: B7D01735560B13DFEB209F31D808B9A76E4BF06355B21C87ED8C6D6260E7B4D881CA50

Function 00B94D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B94D2E,?,00B94F4F,?,00C552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B94D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B94D81

Strings

kernel32.dll, xrefs: 00B94D6A
Wow64DisableWow64FsRedirection, xrefs: 00B94D7B

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: b621e283345850e8f854fc126bd1ff8429979d17eb2b7717c53139a8da27bc4b
Instruction ID: 9bd3f7728913d892745e99114f0f6680406bbe0f2b3f3a81b937a8f7fc43d3a5
Opcode Fuzzy Hash: b621e283345850e8f854fc126bd1ff8429979d17eb2b7717c53139a8da27bc4b
Instruction Fuzzy Hash: C0D01735510B13DFEB209F35D808B9A76E8FF16352B21C97EA486D6360E774D881CA50

Function 00C10E72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00C110C1), ref: 00C10E80
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C10E92

Strings

RegDeleteKeyExW, xrefs: 00C10E8C
advapi32.dll, xrefs: 00C10E7B

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: d035ae5c8514e6a3ead46973a905f7e2ac1d5ff6ef4a60a301c9d52445bc0c21
Instruction ID: f3d6154e486df6ea183fa86035a4ddda7dc8abd43f8b9e1b7fb2e06b3a26d61a
Opcode Fuzzy Hash: d035ae5c8514e6a3ead46973a905f7e2ac1d5ff6ef4a60a301c9d52445bc0c21
Instruction Fuzzy Hash: 56D0E271510B23DFDB209B36C90868BB6E4BF06352B61CC3EA89AD2250E6B0C8C08A50

Function 00C091F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C08E09,?,00C1F910), ref: 00C09203
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C09215

Strings

GetModuleHandleExW, xrefs: 00C0920F
kernel32.dll, xrefs: 00C091FE

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 0c9e3e532432762a81feaa16fa3beffe2812783e87ee81de34435c06ed489d35
Instruction ID: b1a725a0d8943a249947bf38fa7c2ac0ea74461e0f71163e95af729dce9124e6
Opcode Fuzzy Hash: 0c9e3e532432762a81feaa16fa3beffe2812783e87ee81de34435c06ed489d35
Instruction Fuzzy Hash: E5D0C730558713EFDB208F30DC0838A72E5BF12741B22C83E9896C2290EA70C880CA10

Function 00BE74A5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7acf33dd05b921ab07ea2e8b621aef31a9091d5ba22d3ea0a25f8c1b327aee1c
Instruction ID: f67b374971e29fc3e20d1c1e3f47ebe805cb045c14b443f6ec2b7327017d49e9
Opcode Fuzzy Hash: 7acf33dd05b921ab07ea2e8b621aef31a9091d5ba22d3ea0a25f8c1b327aee1c
Instruction Fuzzy Hash: 00C13A74A04256EFDB14CF99C884AAEBBF5FF48714B1185D8E805EB251DB30ED81DB90

Function 00C0E13E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C0E1D2
CharLowerBuffW.USER32(?,?), ref: 00C0E215

Part of subcall function 00C0D8B9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C0D8D9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C0E415
_memmove.LIBCMT ref: 00C0E428

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 04b124a09d8a07ce024d526092cee17fb536d5734a490d69fd20cc2a4df449bd
Instruction ID: 11df2ef2bc0f580eff0694221fc63aac66291e80671d2c1dd877e8a8f398afb4
Opcode Fuzzy Hash: 04b124a09d8a07ce024d526092cee17fb536d5734a490d69fd20cc2a4df449bd
Instruction Fuzzy Hash: D7C16D71A083119FC714DF28C48096ABBE4FF88714F14896DF8999B3A1D770EA45CF82

Function 00C081A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C081D8
CoUninitialize.OLE32 ref: 00C081E3

Part of subcall function 00BED87B: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BED8E3

VariantInit.OLEAUT32(?), ref: 00C081EE
VariantClear.OLEAUT32(?), ref: 00C084BF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 2cc631f1c3cc3b8714316db57e60545828e94ea6cf7937f3b6f8ec77fe348082
Instruction ID: e12bad4951d870a500acc0479e948b9fbf0a51e6ac31fa05d1cb39ef31917dca
Opcode Fuzzy Hash: 2cc631f1c3cc3b8714316db57e60545828e94ea6cf7937f3b6f8ec77fe348082
Instruction Fuzzy Hash: 46A136752047019FCB50DF59C891B6AB7E4BF88724F04849CF99A9B3A2CB30ED09CB56

Function 00BE7858 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C22C7C,?), ref: 00BE7A12
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C22C7C,?), ref: 00BE7A2A
CLSIDFromProgID.OLE32(?,?,00000000,00C1FB80,000000FF,?,00000000,00000800,00000000,?,00C22C7C,?), ref: 00BE7A4F
_memcmp.LIBCMT ref: 00BE7A70

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 1747d5176bdc6ab022bb151af413c84462eaff9451a61ab099a0601486ca84e0
Instruction ID: 0427e3c216207b23955a76fb449b72906729c7586233955ea90ea71871080702
Opcode Fuzzy Hash: 1747d5176bdc6ab022bb151af413c84462eaff9451a61ab099a0601486ca84e0
Instruction Fuzzy Hash: C781F975A00109EFCB04DF95C988EEEB7F9FF89315F2045A8E515AB250DB71AE06CB60

Function 00BE6BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE6BE4
SysAllocString.OLEAUT32(00000000), ref: 00BE6C8D
VariantCopy.OLEAUT32 ref: 00BE6CBC
VariantClear.OLEAUT32(?), ref: 00BE6CE3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 911a22ef95d2dd8c042217fe52f507caf315bc0b4ef9812fb6c11db83bb1797d
Instruction ID: b1c33dd0c35c019d582f9e25cde99d2d9f8cc0e399f547d56d2fa825edd081d3
Opcode Fuzzy Hash: 911a22ef95d2dd8c042217fe52f507caf315bc0b4ef9812fb6c11db83bb1797d
Instruction Fuzzy Hash: 0F5191307443829BDB20AF6ADC95B7AB3E5EF24350B60C8BFE596CB291DB7098409715

Function 00BB487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BB4910
__flush.LIBCMT ref: 00BB4930
__write.LIBCMT ref: 00BB4963
__flsbuf.LIBCMT ref: 00BB4991

Part of subcall function 00BB8CA8: __getptd_noexit.LIBCMT ref: 00BB8CA8

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 9d32a0cca31c7bb2b15b74915ad5c68f9b5270e2a37dcfa491c5b6f8e1a60b1a
Instruction ID: 4694d29b4aa9c33bc6e63d98505e65f83ebf7a22d61d55948ad7e1a85f96cb0b
Opcode Fuzzy Hash: 9d32a0cca31c7bb2b15b74915ad5c68f9b5270e2a37dcfa491c5b6f8e1a60b1a
Instruction Fuzzy Hash: D9418071A047469FDB288E69C8819FF7BE6FF44360B2486ADE895C7642D7F0DD408B50

Function 00C06AC0 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C06AE7
WSAGetLastError.WSOCK32(00000000), ref: 00C06AF7

Part of subcall function 00B99997: __itow.LIBCMT ref: 00B999C2
Part of subcall function 00B99997: __swprintf.LIBCMT ref: 00B99A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C06B5B
WSAGetLastError.WSOCK32(00000000), ref: 00C06B67

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: b185042716f01a859fb7563c6bd34dfb921172900afed5e03c5ff55f48aafa65
Instruction ID: 072137e1e80b6bd1f93307880190a875beb6cca95fd3ce7ccaffdbba3c15266d
Opcode Fuzzy Hash: b185042716f01a859fb7563c6bd34dfb921172900afed5e03c5ff55f48aafa65
Instruction Fuzzy Hash: B9419F74640200AFEB60AF28DC86F7E77E9EB15B14F4480ACFA599B2D2DA719D018791

Function 00C06530 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00C1F910), ref: 00C065BD
_strlen.LIBCMT ref: 00C065EF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 917d7b899049cef0cd0f31684468b1e4f74852e58c94a162fe16ec279e3824a4
Instruction ID: b665850a72a2c23dbefe34491f532b713f5ee6922575e960c3f0edfe4b2a4ebc
Opcode Fuzzy Hash: 917d7b899049cef0cd0f31684468b1e4f74852e58c94a162fe16ec279e3824a4
Instruction Fuzzy Hash: 74417E35A04104ABCB14EBA4DCD1EBEB3E9AF54310F1481A9F91A9B2D2DB31AE15CB51

Function 00BFB880 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00BFB92A
GetLastError.KERNEL32(?,00000000), ref: 00BFB950
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00BFB975
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00BFB9A1

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a22694252b37fb9fbd35478d94fc2c4533ea39a79596cf275258e5cc059a788f
Instruction ID: 3b370f2b554b6cf259d8f6e7e656f1a6fee7d86b8d71ad35aa7bb21c7e340863
Opcode Fuzzy Hash: a22694252b37fb9fbd35478d94fc2c4533ea39a79596cf275258e5cc059a788f
Instruction Fuzzy Hash: F441F2396006149FCF10AF19C484A6DBBE5EF89320B09C0ECE94A9B762CB30FD05CB91

Function 00C1AB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00C1AB92
GetWindowRect.USER32(?,?), ref: 00C1AC08
PtInRect.USER32(?,?,00C1C07E), ref: 00C1AC18
MessageBeep.USER32(00000000), ref: 00C1AC89

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 31df180dc0439e6cdced7ab57cae490ac15684e1a6bfab62721f51f4b2891219
Instruction ID: ea4ab2f719d7d95180288993152ae34f2957e645e51f838e43425037c6a44526
Opcode Fuzzy Hash: 31df180dc0439e6cdced7ab57cae490ac15684e1a6bfab62721f51f4b2891219
Instruction Fuzzy Hash: A8418D74601214DFCB11CF58C8A4BDDBBF6FB4A311F1480A9E4289B361D732E985EB92

Function 00BF0E07 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00BF0E58
SetKeyboardState.USER32(00000080,?,00000001), ref: 00BF0E74
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00BF0EDA
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00BF0F2C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: af0caf0a20315532418b658d071c55d44b1f08466105912a9b09e18a6e3a8fdc
Instruction ID: 6bba782171fc5f069d342c608a9bc561dfc120dc216a43fc1801191b08c2a337
Opcode Fuzzy Hash: af0caf0a20315532418b658d071c55d44b1f08466105912a9b09e18a6e3a8fdc
Instruction Fuzzy Hash: A2313730E6021CAEFF30AA248805BFEBBE5EB59310F18869AF694531F3C375895D9751

Function 00BF0F42 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00BF0F97
SetKeyboardState.USER32(00000080,?,00008000), ref: 00BF0FB3
PostMessageW.USER32(00000000,00000101,00000000), ref: 00BF1012
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00BF1064

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a9c12109705d96ead9e83791adba9e9d39ba5abfb3448853c7fa44cfabdcbfc5
Instruction ID: 2b183a82e65ea7e269259ad861166dbd65ba72071d8196705c51a724e257fbf4
Opcode Fuzzy Hash: a9c12109705d96ead9e83791adba9e9d39ba5abfb3448853c7fa44cfabdcbfc5
Instruction Fuzzy Hash: 62315C3090028CDEFF349A3CC8047FEBBEAEB55310F044AAAF685531E2C77449999761

Function 00BC6345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00BC637B
__isleadbyte_l.LIBCMT ref: 00BC63A9
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00BC63D7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00BC640D

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: dce5e41f718bff83cd70f64088d2886239bff89d547d6f8a2ecd30249fcf7950
Instruction ID: 4c19e76f0d9bfb55fc62941991bad2502a1e5929bd094b8a1c1b9bbc238992d8
Opcode Fuzzy Hash: dce5e41f718bff83cd70f64088d2886239bff89d547d6f8a2ecd30249fcf7950
Instruction Fuzzy Hash: A8318E31600286AFDB258F69C885FBA7BE9FF81310F1541ADE86487191EB31D851DB54

Function 00C14F57 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C14F6B

Part of subcall function 00BF3685: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BF369F
Part of subcall function 00BF3685: GetCurrentThreadId.KERNEL32 ref: 00BF36A6
Part of subcall function 00BF3685: AttachThreadInput.USER32(00000000,?,00BF50AC), ref: 00BF36AD

GetCaretPos.USER32(?), ref: 00C14F7C
ClientToScreen.USER32(00000000,?), ref: 00C14FB7
GetForegroundWindow.USER32 ref: 00C14FBD

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9ef5e4bb42f0cbf07d5672099bfb551ab1b37f87feee6d17896d824d707998f7
Instruction ID: a19ef5e58f69f69187db2c31b4686048a3b5b7266834f77726793b14176bed91
Opcode Fuzzy Hash: 9ef5e4bb42f0cbf07d5672099bfb551ab1b37f87feee6d17896d824d707998f7
Instruction Fuzzy Hash: 19311071900108AFDB40EFA9C885AEFB7FDEF99304F1040AAE515E7251EA759E45CBA0

Function 00C1C502 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B92612: GetWindowLongW.USER32(?,000000EB), ref: 00B92623

GetCursorPos.USER32(?), ref: 00C1C53C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BCBB2B,?,?,?,?,?), ref: 00C1C551
GetCursorPos.USER32(?), ref: 00C1C59E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BCBB2B,?,?,?), ref: 00C1C5D8

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e1e022581a790d2a5e92a322e5506856de0fa6f87518a27cb0a8aab05670e4bc
Instruction ID: 3a1a93c5488b0e3ed4934a2e6849efe491e70c8c1b7edb6937f69e48810936f3
Opcode Fuzzy Hash: e1e022581a790d2a5e92a322e5506856de0fa6f87518a27cb0a8aab05670e4bc
Instruction Fuzzy Hash: 8B318435500518AFCB15CF54C898EEE7BFAEB4A310F044069F9158B261D731AA91FBA0

Function 00BE897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE8432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BE8449
Part of subcall function 00BE8432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BE8453
Part of subcall function 00BE8432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BE8462
Part of subcall function 00BE8432: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BE8469
Part of subcall function 00BE8432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BE847F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00BE89CB
_memcmp.LIBCMT ref: 00BE89EE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BE8A24
HeapFree.KERNEL32(00000000), ref: 00BE8A2B

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d907e289520884b6164cf6f400b9ae84695c38fdacbd5f9e12cd52240af2d018
Instruction ID: 9de5f13964cfe57f60a1c2700844839311b03e7b6a20878d4bc5d8859a000fa0
Opcode Fuzzy Hash: d907e289520884b6164cf6f400b9ae84695c38fdacbd5f9e12cd52240af2d018
Instruction Fuzzy Hash: 43219A71E40508EFCB11CFA5C945BEEB7F8FF44301F1480AAE898A7241DB30AA05CB51

Function 00BB0B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00BB0B2E

Part of subcall function 00B95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF793F,?,?,00000000), ref: 00B95B8C
Part of subcall function 00B95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BF793F,?,?,00000000,?,?), ref: 00B95BB0

_fprintf.LIBCMT ref: 00BB0B65
OutputDebugStringW.KERNEL32(?), ref: 00BE6111

Part of subcall function 00BB4C1A: _flsall.LIBCMT ref: 00BB4C33

__setmode.LIBCMT ref: 00BB0B9A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: ab302e66efd81cb2c8f143ca615ba5b162558b9f5a8899305c3d4a5e84ba1e16
Instruction ID: 347ef46285f80f0c93cfd6216a82c0081b88d0d1798c88094bbb985eee4801a0
Opcode Fuzzy Hash: ab302e66efd81cb2c8f143ca615ba5b162558b9f5a8899305c3d4a5e84ba1e16
Instruction Fuzzy Hash: D311E4329042187FDF15B7A89C82AFE7BEDEF41320F1440EAF10567193EFA158468795

Function 00C0187D Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C018B9

Part of subcall function 00C01943: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C01962
Part of subcall function 00C01943: InternetCloseHandle.WININET(00000000), ref: 00C019FF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a2076f1a80ae242d5ddb8c041aa4fa7e004e15ade65b0b64aebbe3ddecf7510c
Instruction ID: 24f3c86612199b60f69c6329b87a588372a305284b3d65f8bbd80cdc1491e586
Opcode Fuzzy Hash: a2076f1a80ae242d5ddb8c041aa4fa7e004e15ade65b0b64aebbe3ddecf7510c
Instruction Fuzzy Hash: 6A21CD71200605BFEB129F618C10FBAF7A9FF49710F08812EFA15966D0DB319A21E7A0

Function 00BC5262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BC5281

Part of subcall function 00BB588C: __FF_MSGBANNER.LIBCMT ref: 00BB58A3
Part of subcall function 00BB588C: __NMSG_WRITE.LIBCMT ref: 00BB58AA
Part of subcall function 00BB588C: RtlAllocateHeap.NTDLL(01250000,00000000,00000001,00000000,?,?,?,00BB0F53,?), ref: 00BB58CF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: a50358e910c86060e0dafae84ecdb7ba88a1c50a985aedf19bc9b5a1042b2b95
Instruction ID: 5fb25d0685fa911ac689d5898ce004e478fa97606b184578fee73675eb4e7d8f
Opcode Fuzzy Hash: a50358e910c86060e0dafae84ecdb7ba88a1c50a985aedf19bc9b5a1042b2b95
Instruction Fuzzy Hash: FA11E3B2501A15ABCB302F70AC45BEE3BD8EB013A0F2045ADF8499E161DE70D9C0C7A5

Function 00C0647F Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BF793F,?,?,00000000), ref: 00B95B8C
Part of subcall function 00B95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BF793F,?,?,00000000,?,?), ref: 00B95BB0

gethostbyname.WSOCK32(?), ref: 00C064AF
WSAGetLastError.WSOCK32(00000000), ref: 00C064BA
_memmove.LIBCMT ref: 00C064E7
inet_ntoa.WSOCK32(?), ref: 00C064F2

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: a5440f9200702d210bf04026a55a6af09ce5fe756e912fecb5575c118c2e5a4d
Instruction ID: 30dd2ad38b1d00610785b0b8c1c413138145ed1ac8e91ee5989e674cf3fa786e
Opcode Fuzzy Hash: a5440f9200702d210bf04026a55a6af09ce5fe756e912fecb5575c118c2e5a4d
Instruction Fuzzy Hash: 30111931900108AFCF15FBA4DD86DEEB7B8AF15310B1480B9F506A71A2DB31AE14DB61

Function 00BE8E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00BE8E23
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BE8E35
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BE8E4B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BE8E66

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1805e30aae33a2e3c155295e2cf1f657b74f9a44dfbe154520439e22667bbc18
Instruction ID: e4c8f7341def8fb39599ff6fd3ca608d06466c2f8f5ad3030b23a73c76becc09
Opcode Fuzzy Hash: 1805e30aae33a2e3c155295e2cf1f657b74f9a44dfbe154520439e22667bbc18
Instruction Fuzzy Hash: 07111879901218FFEB11DFA5C885F9DBBB8FB48710F204195E904B7290DB716E11DB94

Function 00B91290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00B92612: GetWindowLongW.USER32(?,000000EB), ref: 00B92623

DefDlgProcW.USER32(?,00000020,?), ref: 00B912D8
GetClientRect.USER32(?,?), ref: 00BCB77B
GetCursorPos.USER32(?), ref: 00BCB785
ScreenToClient.USER32(?,?), ref: 00BCB790

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f3190fb280bb74c5a4c68901f657c43971bd2582f0c2513b84d8accbae6e6b6d
Instruction ID: e527f8117e1f09442e950879077440d0c5d4ef5cc96cc2386191047e33004825
Opcode Fuzzy Hash: f3190fb280bb74c5a4c68901f657c43971bd2582f0c2513b84d8accbae6e6b6d
Instruction Fuzzy Hash: 49112B3990051AEBCF10EF98D885AEE77F9FB05301F4048A5F901E7150C730BA559BA5

Function 00BF1473 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00BF001E,?,00BF1071,?,00008000), ref: 00BF1490
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00BF001E,?,00BF1071,?,00008000), ref: 00BF14B5
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00BF001E,?,00BF1071,?,00008000), ref: 00BF14BF
Sleep.KERNEL32(?,?,?,?,?,?,?,00BF001E,?,00BF1071,?,00008000), ref: 00BF14F2

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e7ccd531a41968703b243466da2dd431ebeaf1b85ac8f85a24602f3dd7f34a88
Instruction ID: 59943f430a04f837be6ce319aa605270974ad4db64dfe3ea737a6897c924639b
Opcode Fuzzy Hash: e7ccd531a41968703b243466da2dd431ebeaf1b85ac8f85a24602f3dd7f34a88
Instruction Fuzzy Hash: 7F111831D0052DEBCF009FA9D988BFEBBB8FB49711F118999EA40B7340CB3095558BA5

Function 00BC7137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00BC715B

Part of subcall function 00BC7842: __fltout2.LIBCMT ref: 00BC786B

__cftog_l.LIBCMT ref: 00BC7181
__cftoe_l.LIBCMT ref: 00BC71B3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 621088d55d474e3946b538fc0cfbab7734bd197e5464b342bf555ec8dbd5dc34
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 6301727208814ABBCF125E85CC41DED3FA6FF18350B198499FE1864130CB36C971AF91

Function 00C1B2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C1B318
ScreenToClient.USER32(?,?), ref: 00C1B330
ScreenToClient.USER32(?,?), ref: 00C1B354
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C1B36F

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 7b988c63d12087e0f2130cb3835be8aefcd8967ad632a2526b6435c3f29d8178
Instruction ID: 22de527c7acd06397ce83ef4810edcdff92bcdac9dc1d15d011351c7423160dd
Opcode Fuzzy Hash: 7b988c63d12087e0f2130cb3835be8aefcd8967ad632a2526b6435c3f29d8178
Instruction Fuzzy Hash: 46114679D00249EFDB41CF98C444AEEBBB5FB09310F108166E924E3220D735AA659F50

Function 00C1B669 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C1B678
_memset.LIBCMT ref: 00C1B687
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00C56F20,00C56F64), ref: 00C1B6B6
CloseHandle.KERNEL32 ref: 00C1B6C8

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 4fac21b6d30ce447c47d748af0f22073102477542da248ee50ea9cead0a39d17
Instruction ID: 93df289a0fb37ef21490edf9cbe848a5d33850a5be8f50cf942543a60a371dd4
Opcode Fuzzy Hash: 4fac21b6d30ce447c47d748af0f22073102477542da248ee50ea9cead0a39d17
Instruction Fuzzy Hash: F5F054F5940304BBE61027A17C05FBF3A9CEB05355F804124FA09E61A2D7715C4187A8

Function 00BF6C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00BF6C8F

Part of subcall function 00BF776D: _memset.LIBCMT ref: 00BF77A2

_memmove.LIBCMT ref: 00BF6CB2
_memset.LIBCMT ref: 00BF6CBF
LeaveCriticalSection.KERNEL32(?), ref: 00BF6CCF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 3faf2bbb0688efc1b66a3fbfdc27e257ec7e0ef867e820a381c788d7584bbe66
Instruction ID: 3adc79f8d5b9704db44690893cfc5f0456779953a96037901f27d7b26c97b504
Opcode Fuzzy Hash: 3faf2bbb0688efc1b66a3fbfdc27e257ec7e0ef867e820a381c788d7584bbe66
Instruction Fuzzy Hash: 89F01D7A204104ABCF016F55DC85A9ABB6AEF45320B0480A5FE085E22AC671A812CBA4

Function 00BEA15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00BEA179
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BEA18C
GetCurrentThreadId.KERNEL32 ref: 00BEA193
AttachThreadInput.USER32(00000000), ref: 00BEA19A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 2909568905b7200428f69897957ee1650f8572bbdfe4667ab63fe00f2c7a563d
Instruction ID: 79c4369909905ae451a458341aaab18f6a5a5c41821073d0fc13110e77935bd3
Opcode Fuzzy Hash: 2909568905b7200428f69897957ee1650f8572bbdfe4667ab63fe00f2c7a563d
Instruction Fuzzy Hash: 76E03931141228BADB201BA2DC0DFDF7F5CFF277A1F008028F50894060C7719542CBA1

Function 00B92218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B92231
SetTextColor.GDI32(?,000000FF), ref: 00B9223B
SetBkMode.GDI32(?,00000001), ref: 00B92250
GetStockObject.GDI32(00000005), ref: 00B92258
GetWindowDC.USER32(?,00000000), ref: 00BCC003
GetPixel.GDI32(00000000,00000000,00000000), ref: 00BCC010
GetPixel.GDI32(00000000,?,00000000), ref: 00BCC029
GetPixel.GDI32(00000000,00000000,?), ref: 00BCC042
GetPixel.GDI32(00000000,?,?), ref: 00BCC062
ReleaseDC.USER32(?,00000000), ref: 00BCC06D

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 541834b5d5402d063a1f60044971e6a4baaafbc561f699e43bf05474cabcf3c2
Instruction ID: 85b1893005da7c77e643f57309a3d644d2e89a9836b8ca6ff86a2ae0325aed14
Opcode Fuzzy Hash: 541834b5d5402d063a1f60044971e6a4baaafbc561f699e43bf05474cabcf3c2
Instruction Fuzzy Hash: A9E03932544244FAEB215F74EC0DBDC3B61EB16336F20C3AAFA69480E1C7714991DB21

Function 00BE8A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00BE8A43
OpenThreadToken.ADVAPI32(00000000,?,?,?,00BE860E), ref: 00BE8A4A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00BE860E), ref: 00BE8A57
OpenProcessToken.ADVAPI32(00000000,?,?,?,00BE860E), ref: 00BE8A5E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b7409731b5396d078ef451fbbdca35814fbfc6598dc284efb01a0e372c02fd88
Instruction ID: 299a9b35ab705309d1afdb6cc6f65c664dc9c220b1669f4da03f252a864782bc
Opcode Fuzzy Hash: b7409731b5396d078ef451fbbdca35814fbfc6598dc284efb01a0e372c02fd88
Instruction Fuzzy Hash: CCE04F36641211DFD7209FB16D0CB9A3BA8FF56792F05C87CA649C9050DA7495429750

Function 00BD20B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BD20B6
GetDC.USER32(00000000), ref: 00BD20C0
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BD20E0
ReleaseDC.USER32(?), ref: 00BD2101

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 965572ba199cbe5cab177623c8823aff1f6330029593eb75c38e6f2ddefa3f4e
Instruction ID: c0e13a6cbe3374dc1d51b885b0ea82519163f4fc62647891ea059c6822c8ad8c
Opcode Fuzzy Hash: 965572ba199cbe5cab177623c8823aff1f6330029593eb75c38e6f2ddefa3f4e
Instruction Fuzzy Hash: C1E0C275800204EFCB019FA088487DD7BF1FB5D350F11C029F85A96220DB3885429F50

Function 00BD20CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BD20CA
GetDC.USER32(00000000), ref: 00BD20D4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BD20E0
ReleaseDC.USER32(?), ref: 00BD2101

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: de2cf7650519f89700f455d18571d4b2e1e76a2aa8052312f60d8524ee06abab
Instruction ID: d3210c72b3d53912cd9da02b573ad4a8750377eea3b5b9df285226d1ae8e0c1e
Opcode Fuzzy Hash: de2cf7650519f89700f455d18571d4b2e1e76a2aa8052312f60d8524ee06abab
Instruction Fuzzy Hash: 4DE0EEB5800204AFCF019FA0C8087DD7BF1FB4D350F11C029F95AA7220CB3895429F40

Function 00BEB5B5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00BEB780

Strings

AutoIt3GUI, xrefs: 00BEB6F8
Container, xrefs: 00BEB6FD

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: ab7f98e452ab97abb481c77c8a46482340791336e836f0038174f4d08245ffdc
Instruction ID: 15af039e38de4b554a1f4bdb97c5fee87736d8fdab80402fad8127a672d7951b
Opcode Fuzzy Hash: ab7f98e452ab97abb481c77c8a46482340791336e836f0038174f4d08245ffdc
Instruction Fuzzy Hash: C8913770600601AFDB14DF69C894F6BBBE9FF48710F1485ADE94ADB6A1DBB0E840CB50

Function 00BFB038 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00BAFE06: _wcscpy.LIBCMT ref: 00BAFE29

Part of subcall function 00B99997: __itow.LIBCMT ref: 00B999C2
Part of subcall function 00B99997: __swprintf.LIBCMT ref: 00B99A0C

__wcsnicmp.LIBCMT ref: 00BFB0B9
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00BFB182

Strings

LPT, xrefs: 00BFB0B3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 1ac3c140d374b68a1570bcbc409b7b26acda1ff9493f58eec807302e13e3824a
Instruction ID: 165060509962a88c4c1a70abd0f7c32ca992a9db5ddee5d6bff94d037b216887
Opcode Fuzzy Hash: 1ac3c140d374b68a1570bcbc409b7b26acda1ff9493f58eec807302e13e3824a
Instruction Fuzzy Hash: AB615375A10219AFCB14EF98C891EFEB7F4EF08310F1540A9F656AB251DB70AE44CB91

Function 00BA2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00BA2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00BA2AE1

Strings

@, xrefs: 00BA2AD5

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: b2dd8ad73337f7564d332bbdce52e06dcd991820b334b57e0ef9cfbba3fd3c1a
Instruction ID: 7a65b9086b301249dd320ac301560cf3096777d74d04c966afd499966102b75e
Opcode Fuzzy Hash: b2dd8ad73337f7564d332bbdce52e06dcd991820b334b57e0ef9cfbba3fd3c1a
Instruction Fuzzy Hash: 415154724187449BD760AF14DC86BAFBBE8FF84310F8188ADF1D9411A1EB309529CB66

Function 00BF97DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00B9506B: __fread_nolock.LIBCMT ref: 00B95089

_wcscmp.LIBCMT ref: 00BF98CD
_wcscmp.LIBCMT ref: 00BF98E0

Strings

FILE, xrefs: 00BF9819

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: dadb7c573cbee6be993b27c7b8a740d03d367fadf4e441e1ff0c879399080d5e
Instruction ID: 5099e012e7c552ad0c947844fe224f090458b60c404d557adef8b4c9393e0bd5
Opcode Fuzzy Hash: dadb7c573cbee6be993b27c7b8a740d03d367fadf4e441e1ff0c879399080d5e
Instruction Fuzzy Hash: 6941C871A4061DBADF219EA4CC85FEF77FDDF45710F0044B9BA00B7181DAB1AA0987A1

Function 00C026A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C026B4
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C026EA

Strings

|, xrefs: 00C026BB

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: d7020fb5a79dde3384fed287aa1e0e6264979fbbe3976cdb12a6a10e004196af
Instruction ID: 02bb678eded2b68d2945348a0c2ba706cbec95819ab923110e8aa4945a7ef829
Opcode Fuzzy Hash: d7020fb5a79dde3384fed287aa1e0e6264979fbbe3976cdb12a6a10e004196af
Instruction Fuzzy Hash: 12313971810119AFCF15EFA5CC89EEEBFB9FF08310F1001A9F815A6166DB315A56DB60

Function 00C17AA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00C17B93
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C17BA8

Strings

', xrefs: 00C17AFC

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: ff3718762ca3986d0767298847a556ecf5908bdfbe8b0cb114ec17124a87d069
Instruction ID: c97090da17829b257faf342463ab349a2ade0aea838db6501236104c81e92d6f
Opcode Fuzzy Hash: ff3718762ca3986d0767298847a556ecf5908bdfbe8b0cb114ec17124a87d069
Instruction Fuzzy Hash: 31410874A093099FDB14CF65D881BDEBBB5FF0A300F10016AE914AB391D730AA91DF90

Function 00C16A95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00C16B49
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C16B85

Strings

static, xrefs: 00C16AE5

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e8657357f0f89d6bb72ee6cdc809b2fd24798581df0ac483c1e929cfd54ebe67
Instruction ID: 55df4d36cf42523fbbf108088f0bad90afe47c7fa67dea4d4ed1247a81699243
Opcode Fuzzy Hash: e8657357f0f89d6bb72ee6cdc809b2fd24798581df0ac483c1e929cfd54ebe67
Instruction Fuzzy Hash: B8317071110604ABEB109F68CC81BFB73A9FF49724F10852DF9A9D7190DB31AD91E760

Function 00BF2B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BF2C09
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BF2C44

Strings

0, xrefs: 00BF2C02

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 4a5576f9c8194f71e8b5961b37018f8d1d7159d446bc0c3682a84633b2faa04a
Instruction ID: afcd39b46def4876bdf7cb84e914706d6aea8fc74e58112ee3ff624ed645fdf8
Opcode Fuzzy Hash: 4a5576f9c8194f71e8b5961b37018f8d1d7159d446bc0c3682a84633b2faa04a
Instruction Fuzzy Hash: FB31937160020DAFDB359F58D986BFEBFF9EB05350F144099EA85A71A1E7709A48CB10

Function 00C03AFF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00C03B7C

Part of subcall function 00B97F41: _memmove.LIBCMT ref: 00B97F82

Strings

AUTOITCALLVARIABLE%d, xrefs: 00C03B6E
, $, xrefs: 00C03BBC

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: d1c6d1f573c43eab14b14b4bb2b7301ec39c7a31b80be0b9ff030499febc7a91
Instruction ID: a16b22dbd619520d30aedc92e94c14190591354fed1af99e6118f6e145df512a
Opcode Fuzzy Hash: d1c6d1f573c43eab14b14b4bb2b7301ec39c7a31b80be0b9ff030499febc7a91
Instruction Fuzzy Hash: 58215E34600268ABCF10EF68CC82EAE77E8FF45700F4044E9F405AB181DB34AA45CBA1

Function 00BEADBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BA61B1

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BEAE1B
_strlen.LIBCMT ref: 00BEAE26

Strings

@U=u, xrefs: 00BEAE1B

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: 3c2488b24ebb271ad5f4633667f17dbee901e69099c953279c83af073b522167
Instruction ID: 093b5c3c07b0a11ce0f5fb5d7e1ea3d0a0e4c21fa6f24ea41d0c1f2cc0ec67aa
Opcode Fuzzy Hash: 3c2488b24ebb271ad5f4633667f17dbee901e69099c953279c83af073b522167
Instruction Fuzzy Hash: 4F11A53220424567CF14AA79DCC2ABF7BEDDF45740F2040FDF5069A193DF65AC459252

Function 00C16897 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF56A4: GetLocalTime.KERNEL32 ref: 00BF56B1
Part of subcall function 00BF56A4: _wcsncpy.LIBCMT ref: 00BF56E6
Part of subcall function 00BF56A4: _wcsncpy.LIBCMT ref: 00BF5718
Part of subcall function 00BF56A4: _wcsncpy.LIBCMT ref: 00BF574B
Part of subcall function 00BF56A4: _wcsncpy.LIBCMT ref: 00BF578D

SendMessageW.USER32(?,00001002,00000000,?), ref: 00C16931

Strings

@U=u, xrefs: 00C16931
SysDateTimePick32, xrefs: 00C168EF

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: _wcsncpy$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2466184910-2530228043
Opcode ID: e05321d3a76ffa910ccaa02bdcca696484019568305f8d35591077b6799e5c02
Instruction ID: 4b24d245668822e2a6016e71a329a23f301f5655ab62e814fe2e35386181194e
Opcode Fuzzy Hash: e05321d3a76ffa910ccaa02bdcca696484019568305f8d35591077b6799e5c02
Instruction Fuzzy Hash: DD2106327402086FEF218E54DC82FFE73A9EB55764F100529F950AB1D0D6B1AC91A7A0

Function 00BE94E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BE9500

Part of subcall function 00BF170F: GetWindowThreadProcessId.USER32(?,?), ref: 00BF173A
Part of subcall function 00BF170F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00BE951C,00000034,?,?,00001004,00000000,00000000), ref: 00BF174A
Part of subcall function 00BF170F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00BE951C,00000034,?,?,00001004,00000000,00000000), ref: 00BF1760

Part of subcall function 00BF17ED: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BE9558,?,?,00000034,00000800,?,00000034), ref: 00BF1817

SendMessageW.USER32(?,00001073,00000000,?), ref: 00BE9567

Part of subcall function 00BF17B8: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BE9587,?,?,00000800,?,00001073,00000000,?,?), ref: 00BF17E2

Strings

@U=u, xrefs: 00BE9500, 00BE9567

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: f1f130da8d25bc3b7e40664ac109d946fe2a23f4ef30f1e736965048310a33ce
Instruction ID: 398b441dd69fd2fb82115b7e1f8bbe868f7ca01a7dd88cdf1eb7c180539d43ce
Opcode Fuzzy Hash: f1f130da8d25bc3b7e40664ac109d946fe2a23f4ef30f1e736965048310a33ce
Instruction Fuzzy Hash: CC212C71901218EBDF15AB98DC41FD9BBF9FF05350F1041A5FA48A7190DA715A58CF50

Function 00C16706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C16793
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C1679E

Strings

Combobox, xrefs: 00C16760

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 5d87afa2ba8ed6ce259897f1426b5ba419d66b55e58f2ead52f336eedb46827b
Instruction ID: bc2036a715d6732b2b17b62e72f364fe8bcf681c1122baef63e163a867f02d76
Opcode Fuzzy Hash: 5d87afa2ba8ed6ce259897f1426b5ba419d66b55e58f2ead52f336eedb46827b
Instruction Fuzzy Hash: 491198757006096FEF15DF24DC80FFB376AEB4A368F104525F924972D0D6319D91A7A0

Function 00C19725 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00C197AA, 00C197D3

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 785ebf65d9cb091e984e52afb286f3de8c8db081af0448344fc3761e78b63010
Instruction ID: c87b6e4dbd48e093cfe86a5a49d6fbef35ca48fd7eb89aac2bef58d7cc4385ae
Opcode Fuzzy Hash: 785ebf65d9cb091e984e52afb286f3de8c8db081af0448344fc3761e78b63010
Instruction Fuzzy Hash: E2219035120208BFDB109F14CC65FFA37E4EF0A310F404155FA26DA5E0D670EA90ABA0

Function 00C16C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B91D73
Part of subcall function 00B91D35: GetStockObject.GDI32(00000011), ref: 00B91D87
Part of subcall function 00B91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B91D91

GetWindowRect.USER32(00000000,?), ref: 00C16CA3
GetSysColor.USER32(00000012), ref: 00C16CBD

Strings

static, xrefs: 00C16C80

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 43d5042b900d9b87ec554a08788d9a7a9cc1e1d86bacf1974b03a54b550228d0
Instruction ID: 69089365f39163b482fc595a6ee9b6e8181f19faf61698cee033ca38f1c42fd6
Opcode Fuzzy Hash: 43d5042b900d9b87ec554a08788d9a7a9cc1e1d86bacf1974b03a54b550228d0
Instruction Fuzzy Hash: 9D21597261020AAFDB04DFA8CC45AFA7BA8FB09314F004629F955E2250E735E891EB90

Function 00BF2CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BF2D1A
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00BF2D39

Strings

0, xrefs: 00BF2D10

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f647fa8b2cdad04914cad8ac07092bfaaf7edc6bc3200da2eaa172b51ade9a6d
Instruction ID: 3e18582d3a7e7bd2adb87d6eb1b78aafb3557b23b36bada730d119cc575759bb
Opcode Fuzzy Hash: f647fa8b2cdad04914cad8ac07092bfaaf7edc6bc3200da2eaa172b51ade9a6d
Instruction Fuzzy Hash: 4E11E279D0221CABCF21DB98D894BBD77F9EB05300F1401B5EE15AB2A0D730AE09D791

Function 00C022EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C02342
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C0236B

Strings

<local>, xrefs: 00C02333

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a0db8e5e03d42e8ab50846b41b0c3f255e1232fb8691a0d93b5852af088c1dac
Instruction ID: 8668e053b0a95d9debb448e2282857ed8370dea7449d47f9525ba0d0f09dfff3
Opcode Fuzzy Hash: a0db8e5e03d42e8ab50846b41b0c3f255e1232fb8691a0d93b5852af088c1dac
Instruction Fuzzy Hash: 00110270101625BADB248F128CCCFFBFB6CFF06751F10812AF959520A0D2746A91D6F0

Function 00C18515 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00C18562

Strings

@U=u, xrefs: 00C18562, 00C1859E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: af275ef77c69236abedee98b4a9eab052fdb1cf360ef45f8d8030d692f704bd1
Instruction ID: 517f3a52d4097d02d762451b42f7812939c618a74bbddcffd5ec8176cafcdae9
Opcode Fuzzy Hash: af275ef77c69236abedee98b4a9eab052fdb1cf360ef45f8d8030d692f704bd1
Instruction Fuzzy Hash: 5121F779A04209EFCB05CF94D8809EA7BB6FB4D350B004159FE15A3310DA31AEA5EBA0

Function 00C165E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00C1665E

Strings

button, xrefs: 00C16635
@U=u, xrefs: 00C1665E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: aaffeda3efeb3e546d9a7cd99d6139361da2ba903315236b81f44c8f163fe292
Instruction ID: 75b7c61bc929d895134a9b75794abb8c3892076130ab5e37d6e30bec5c667d37
Opcode Fuzzy Hash: aaffeda3efeb3e546d9a7cd99d6139361da2ba903315236b81f44c8f163fe292
Instruction Fuzzy Hash: 27110432150209ABDF018F60DC01FEA376AFF1A314F104528FE60A7190C776E8A1BB50

Function 00C178BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 00C1790A

Strings

@U=u, xrefs: 00C1790A

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: ed4f73a03fbc05a52aa3ca5be0fb0e1679fc17d47273c2bbd03f4c22c1e4a42a
Instruction ID: ce69c9971824be7ddf5197494725963999614a191168e4a50958a49f1759711c
Opcode Fuzzy Hash: ed4f73a03fbc05a52aa3ca5be0fb0e1679fc17d47273c2bbd03f4c22c1e4a42a
Instruction Fuzzy Hash: 3111D074504744AFDB20CF34C891AE7BBF9BF0A320F10861DF8AA57291DB716985EB60

Function 00BE9769 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF17ED: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BE9558,?,?,00000034,00000800,?,00000034), ref: 00BF1817

SendMessageW.USER32(?,0000102B,?,00000000), ref: 00BE97CB
SendMessageW.USER32(?,0000102B,?,00000000), ref: 00BE97F0

Strings

@U=u, xrefs: 00BE97CB, 00BE97F0

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 1af0d1874bb2bec9c6b2dc81fde154695dfc730eb655b69a0d7f3cebd97182e3
Instruction ID: 1127aaad7bc7dea62278cd4e31ea517c72e35792123f0d59f0cb2140d41d5955
Opcode Fuzzy Hash: 1af0d1874bb2bec9c6b2dc81fde154695dfc730eb655b69a0d7f3cebd97182e3
Instruction Fuzzy Hash: 8E01DB72500218EBDB15AF69DC86FEEBBB8EB14320F1041AAF915A70D0DB705D59CB60

Function 00BF8E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BF8E55
__fread_nolock.LIBCMT ref: 00BF8E6A

Strings

EA06, xrefs: 00BF8E9C

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 415adee83b6acf7c28f1d5cc458f7b52fbc8accbab012bfb9140f280b9423c40
Instruction ID: 62cd082f326bc1a5e3546336e400f9f4b3fff493c40bbfb942ff79074fcb681e
Opcode Fuzzy Hash: 415adee83b6acf7c28f1d5cc458f7b52fbc8accbab012bfb9140f280b9423c40
Instruction Fuzzy Hash: AC01B9719042186FDB28D6A8CC56EFE7BF8DB15701F00459AF552D6181E9B5E6088760

Function 00BE9897 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00BE98BD
SendMessageW.USER32(?,0000040D,?,00000000), ref: 00BE98F0

Part of subcall function 00BF17B8: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BE9587,?,?,00000800,?,00001073,00000000,?,?), ref: 00BF17E2

Part of subcall function 00B97D2C: _memmove.LIBCMT ref: 00B97D66

Strings

@U=u, xrefs: 00BE98BD, 00BE98F0

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_memmove
String ID: @U=u
API String ID: 339422723-2594219639
Opcode ID: 52f191ff2360fa2ab640edfe775b5927bb9f9bbe102552c78b86d7338f34b7c8
Instruction ID: 14b99ba72e7b57bd767c14d3f32c3113f0adcaba7b6661c8523eefe9cf332fdf
Opcode Fuzzy Hash: 52f191ff2360fa2ab640edfe775b5927bb9f9bbe102552c78b86d7338f34b7c8
Instruction Fuzzy Hash: D60157B580021CAFDB50EE64DC81AE977BCFF19340F80C0AAFA49A7151DE314E99CB90

Function 00C1C5E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B92612: GetWindowLongW.USER32(?,000000EB), ref: 00B92623

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00BCBABA,?,?,?), ref: 00C1C65B

Part of subcall function 00B925DB: GetWindowLongW.USER32(?,000000EB), ref: 00B925EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00C1C641

Strings

@U=u, xrefs: 00C1C641

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: 5527c0c3df8eb629879df1dcfd6ca4250de7642b4141cc917e882f27cc9c1b3e
Instruction ID: cb4367ce0123c69c622df34ceae69085342071f6bfc42a4478729853587cf3b7
Opcode Fuzzy Hash: 5527c0c3df8eb629879df1dcfd6ca4250de7642b4141cc917e882f27cc9c1b3e
Instruction Fuzzy Hash: D101D435240214EBCB219F15DC94FAA3BA6FB8A720F144168F9111B2E1C731A892EBA0

Function 00BE97FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BE980E
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BE9826

Strings

@U=u, xrefs: 00BE980E, 00BE9826

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 100bbec2b4405618282f3b439b28f86e0be2a922c565b32d0b180acbd30cd057
Instruction ID: f2a788d73c5199c85a9a9098b9cef4b7274899b06702866e82da53393bf0aa59
Opcode Fuzzy Hash: 100bbec2b4405618282f3b439b28f86e0be2a922c565b32d0b180acbd30cd057
Instruction Fuzzy Hash: 2AE02B353423A176F23015235C4AFCB2E99DF4ABA1F100034B700991F1CBD10C56C1A0

Function 00BEA107 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE9C0E: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00BE9C27
Part of subcall function 00BE9C0E: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00BE9C61

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00BEA12B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00BEA13B

Strings

@U=u, xrefs: 00BEA12B, 00BEA13B

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 9f7ec2ec5c3e5f199a90e508833bc0eef44fdeea1efd60cc8c3e89c7f2c51544
Instruction ID: ad69248177ae70fd84662ecf77be48108ac33b416a916294b3058f43df776ba7
Opcode Fuzzy Hash: 9f7ec2ec5c3e5f199a90e508833bc0eef44fdeea1efd60cc8c3e89c7f2c51544
Instruction Fuzzy Hash: ACE0D8753443097FF6215A62AC8AFE737BDDB49755F114039F300550A0EFE2DC606520

Function 00BF4FCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00BF4FED
_wcscmp.LIBCMT ref: 00BF4FFF

Strings

#32770, xrefs: 00BF4FF9

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: c2edaa9ef85c69d5405db5f8a65525586cd9d92a50ff2a64a3355e6e2b2653a6
Instruction ID: 0191be1b05141fbc92d7b1d3e98086aa444120050953d8d5e3943f6aa53bd28f
Opcode Fuzzy Hash: c2edaa9ef85c69d5405db5f8a65525586cd9d92a50ff2a64a3355e6e2b2653a6
Instruction Fuzzy Hash: 8BE092326042292BE7209AA9AC09BABF7ECEB45B61F40016AFD44D3151E9A09A4587E1

Function 00BCB441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00BCB494: _memset.LIBCMT ref: 00BCB4A1

Part of subcall function 00BB0AC0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BCB470,?,?,?,00B9100A), ref: 00BB0AC5

IsDebuggerPresent.KERNEL32(?,?,?,00B9100A), ref: 00BCB474
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B9100A), ref: 00BCB483

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BCB47E

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: e440413acf8d85fb704e27484cbc1ff73546107cdf04561af57875e4a877ae1e
Instruction ID: a7619dcaa91b2b5578076e338ab72df3b8ed1bf0843464a7aa0e84a423eb1f1c
Opcode Fuzzy Hash: e440413acf8d85fb704e27484cbc1ff73546107cdf04561af57875e4a877ae1e
Instruction Fuzzy Hash: CFE06DB46147008FDB34EF24E805B8A7BE4AB00305F01C9ACE496C3352EBF5E444CBA1

Function 00BF998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00BF99A1
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00BF99B8

Strings

aut, xrefs: 00BF99B2

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 0f7af333ccf19fe85cd9d77e9e80ecd6838e7a8f7d86193641b82e34cea692b1
Instruction ID: 8e231d88d3ae3d342b536852dbf6ac386731c7ecd31f980025f099f98c0539f1
Opcode Fuzzy Hash: 0f7af333ccf19fe85cd9d77e9e80ecd6838e7a8f7d86193641b82e34cea692b1
Instruction Fuzzy Hash: 3CD05E7994030DABDB509BA0DC0EFDE777CF704700F0042B1BA94920A1EAB095998B91

Function 00C159CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C159D7
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C159EA

Part of subcall function 00BF52EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BF5363

Strings

Shell_TrayWnd, xrefs: 00C159D0

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: aa6dac5cec969b914be490cc8d75ab4a3e44b9f4a07b95f0e74a5f3d921a8f0d
Instruction ID: 28e9ce890271d0fb42b87a5db0446f2d2924ab46de0c5386521030a2baf2b850
Opcode Fuzzy Hash: aa6dac5cec969b914be490cc8d75ab4a3e44b9f4a07b95f0e74a5f3d921a8f0d
Instruction Fuzzy Hash: 55D01231784311BBE674BB709C0FFEF6A55BB01B50F004939B359AB1D1C9F0A845C654

Function 00BE969F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BE96AB
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00BE96B9

Strings

@U=u, xrefs: 00BE96AB, 00BE96B9

Memory Dump Source

Source File: 00000000.00000002.3817245042.0000000000B91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.3817228637.0000000000B90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817299655.0000000000C44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817347536.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3817364809.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_file.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 3f0e5ea18362d0ccfb4349c361c3ac8318cbd5af7df3af94d26252bda494a512
Instruction ID: 519b558857487090188970f1b95925a2133fe52e0a86b9d7c52d7868603bc3cb
Opcode Fuzzy Hash: 3f0e5ea18362d0ccfb4349c361c3ac8318cbd5af7df3af94d26252bda494a512
Instruction Fuzzy Hash: 35C00231141284BAEA215B77BC0DECB3E3DE7CBF52711416CB211950B5C66500A6D624

Source: file.exe, 00000000.00000002.3817942430.000000000161E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3817750995.000000000150B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://rektware16.temp.swtest.ru/
Source: file.exe, 00000000.00000002.3817942430.000000000161E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://rektware16.temp.swtest.ru/A
Source: file.exe, 00000000.00000003.1375348438.00000000038A1000.00000004.00000020.00020000.00000000.sdmp, ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-authorization].php.0.dr	String found in binary or memory: http://rektware16.temp.swtest.ru/ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_
Source: file.exe, 00000000.00000002.3817942430.000000000161E000.00000004.00000020.00020000.00000000.sdmp, ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-authorization].php.0.dr, ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-cabinet].php.0.dr	String found in binary or memory: http://www.wysiwygwebbuilder.com

Source: C:\Users\user\Desktop\file.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: a:	Jump to behavior

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\AFWAAFRXKO.docx.killrabbit

C:\Users\user\Desktop\AFWAAFRXKO\AFWAAFRXKO.docx.killrabbit

C:\Users\user\Desktop\AFWAAFRXKO\AIXACVYBSB.png.killrabbit

C:\Users\user\Desktop\AFWAAFRXKO\DTBZGIOOSO.mp3.killrabbit

C:\Users\user\Desktop\AFWAAFRXKO\NHPKIZUUSG.jpg.killrabbit

C:\Users\user\Desktop\AFWAAFRXKO\TQDGENUHWP.xlsx.killrabbit

C:\Users\user\Desktop\AFWAAFRXKO\ZSSZYEFYMU.pdf.killrabbit

C:\Users\user\Desktop\AIXACVYBSB.png.killrabbit

C:\Users\user\Desktop\DTBZGIOOSO.mp3.killrabbit

C:\Users\user\Desktop\DTBZGIOOSO.pdf.killrabbit

C:\Users\user\Desktop\Excel.lnk.killrabbit

C:\Users\user\Desktop\HTAGVDFUIE.mp3.killrabbit

C:\Users\user\Desktop\ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-authorization].php

C:\Users\user\Desktop\ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-authorization].php.killrabbit

C:\Users\user\Desktop\ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-cabinet].php

C:\Users\user\Desktop\ID_YUTPW48prqskALz7Hr5Uw82skEpcrd_[30_09_2024_10_13]_[19045-cabinet].php.killrabbit

C:\Users\user\Desktop\NHPKIZUUSG.jpg.killrabbit

C:\Users\user\Desktop\NHPKIZUUSG.xlsx.killrabbit

C:\Users\user\Desktop\ONBQCLYSPU.jpg.killrabbit

C:\Users\user\Desktop\TQDGENUHWP.docx.killrabbit

C:\Users\user\Desktop\TQDGENUHWP.xlsx.killrabbit

Windows Analysis Report
file.exe

Function 00B93B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00B94AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00BF3B56 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Function 00B94FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00BFBD48 Relevance: 7.6, APIs: 5, Instructions: 143
fileCOMMON

Function 00B93017 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68
windowregistryCOMMON

Function 00B93041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00B971EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00BFA931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183
COMMON

Function 00B93A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00BB6F80 Relevance: 16.8, APIs: 11, Instructions: 258
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre