Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522741
MD5:	4140300748e5cf4ebf35d94f2c8623a6
SHA1:	949bb17c71feaba800d5e4a0010b2985c3a06645
SHA256:	a250695f8ca2289a78da279d21d400f3ee2fb0f44642469d44a1c63d5eeeedeb
Tags:	exeuser-jstrosch
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Uses Windows timers to delay execution

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7956 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4140300748E5CF4EBF35D94F2C8623A6)

cleanup

Code function: 3_2_000E6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

3_2_000E6B0C

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000E6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

3_2_000E6D07

Source: C:\Users\user\Desktop\file.exe

3_2_000E6B0C

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000D2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

3_2_000D2B37

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000FF7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,6FCFCB00,6FCFC2F0,SetCapture,ClientToScreen,6FCFC530,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

3_2_000FF7FF

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\file.exe	Code function: This is a third-party compiled AutoIt script.	3_2_00093D19
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000003.00000000.1281622742.000000000013E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_97758e61-2
Source: file.exe, 00000003.00000000.1281622742.000000000013E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5c844094-2
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_17a53d1c-7
Source: file.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a5c52a71-8

Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00093742 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	3_2_00093742
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_001000AF NtdllDialogWndProc_W,	3_2_001000AF
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00100133 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	3_2_00100133
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0010044C NtdllDialogWndProc_W,	3_2_0010044C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FE9AF NtdllDialogWndProc_W,CallWindowProcW,	3_2_000FE9AF
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000AAAFC NtdllDialogWndProc_W,	3_2_000AAAFC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000AAB4F NtdllDialogWndProc_W,	3_2_000AAB4F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FEC7C NtdllDialogWndProc_W,	3_2_000FEC7C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FECD4 6FCFC580,6FCFC6F0,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	3_2_000FECD4
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FEEEB PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	3_2_000FEEEB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000AB11F NtdllDialogWndProc_W,74D2C8D0,NtdllDialogWndProc_W,	3_2_000AB11F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FF1D7 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	3_2_000FF1D7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FF2D0 SendMessageW,NtdllDialogWndProc_W,	3_2_000FF2D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FF351 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	3_2_000FF351
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000AB385 GetParent,NtdllDialogWndProc_W,	3_2_000AB385
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000AB55D NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	3_2_000AB55D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FF5AB NtdllDialogWndProc_W,	3_2_000FF5AB
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FF5DA NtdllDialogWndProc_W,	3_2_000FF5DA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FF609 NtdllDialogWndProc_W,	3_2_000FF609
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FF654 NtdllDialogWndProc_W,	3_2_000FF654
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FF689 ClientToScreen,6FCFC5D0,NtdllDialogWndProc_W,	3_2_000FF689
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000AB715 NtdllDialogWndProc_W,	3_2_000AB715
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FF7C3 GetWindowLongW,NtdllDialogWndProc_W,	3_2_000FF7C3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FF7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,6FCFCB00,6FCFC2F0,SetCapture,ClientToScreen,6FCFC530,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	3_2_000FF7FF

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000D6606: CreateFileW,DeviceIoControl,CloseHandle,

3_2_000D6606

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000CAF64 GetCurrentProcess,OpenProcessToken,743B7ED0,CloseHandle,CreateProcessWithLogonW,743B7F30,

3_2_000CAF64

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000D79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

3_2_000D79D3

Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000A3200	3_2_000A3200
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000A3B70	3_2_000A3B70
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000C410F	3_2_000C410F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000B02A4	3_2_000B02A4
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000C038E	3_2_000C038E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0009E3B0	3_2_0009E3B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000C467F	3_2_000C467F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000B06D9	3_2_000B06D9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FAACE	3_2_000FAACE
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000C4BEF	3_2_000C4BEF
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000BCCC1	3_2_000BCCC1
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00096F07	3_2_00096F07
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0009AF50	3_2_0009AF50
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000BB043	3_2_000BB043
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000AB11F	3_2_000AB11F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000BD1B9	3_2_000BD1B9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000F31BC	3_2_000F31BC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000B123A	3_2_000B123A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000C724D	3_2_000C724D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000D13CA	3_2_000D13CA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000993F0	3_2_000993F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000AF563	3_2_000AF563
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000DB6CC	3_2_000DB6CC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000996C0	3_2_000996C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000977B0	3_2_000977B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000FF7FF	3_2_000FF7FF
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000C79C9	3_2_000C79C9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000AFA57	3_2_000AFA57
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00099B60	3_2_00099B60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000AFE6F	3_2_000AFE6F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000B9ED0	3_2_000B9ED0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00097FA3	3_2_00097FA3

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 000AEC2F appears 68 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 000BF8A0 appears 35 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 000B6AC0 appears 42 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000DCE7A GetLastError,FormatMessageW,

3_2_000DCE7A

Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000CAB84 AdjustTokenPrivileges,CloseHandle,		3_2_000CAB84
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000CB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		3_2_000CB134

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000DE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

3_2_000DE1FD

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000D6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

3_2_000D6532

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000EC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

3_2_000EC18C

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_0009406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

3_2_0009406B

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000AE01E LoadLibraryA,GetProcAddress,

3_2_000AE01E

Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000A288A push 66000A23h; retn 0010h	3_2_000A28E1
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000B6B05 push ecx; ret	3_2_000B6B18
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000BBDAA push edi; ret	3_2_000BBDAC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000BBEC3 push esi; ret	3_2_000BBEC5

Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000F8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		3_2_000F8111
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000AEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		3_2_000AEB42

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000B123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_000B123A

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Uses Windows timers to delay execution

Source: C:\Users\user\Desktop\file.exe	User Timer Set: Timeout: 750ms	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	User Timer Set: Timeout: 750ms	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	User Timer Set: Timeout: 750ms	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	User Timer Set: Timeout: 750ms	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 1201			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 4436			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_3-88628

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Users\user\Desktop\file.exe TID: 7960	Thread sleep time: -44360s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7188	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Thread sleep count: Count: 1201 delay: -10			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread sleep count: Count: 4436 delay: -10			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000D60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	3_2_000D60DD
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000D63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	3_2_000D63F9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000DEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_000DEB60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000D6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	3_2_000D6CA9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000DF56F FindFirstFileW,FindClose,	3_2_000DF56F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000DF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_000DF5FA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000E1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_000E1B2F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000E1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_000E1C8A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000E1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_000E1F94

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000ADDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_000ADDC0

Source: file.exe, 00000003.00000002.2538200594.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.2403832167.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.2403920605.0000000000E25000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1803722667.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.2403681761.0000000000E97000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

graph_3-88080

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000E6AAF BlockInput,

3_2_000E6AAF

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00093D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

3_2_00093D19

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000C3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

3_2_000C3920

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000AE01E LoadLibraryA,GetProcAddress,

3_2_000AE01E

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000CA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

3_2_000CA66C

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000B8189 SetUnhandledExceptionFilter,		3_2_000B8189
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000B81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_000B81AC

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000CB106 LogonUserW,

3_2_000CB106

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00093D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

3_2_00093D19

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000D411C SendInput,keybd_event,

3_2_000D411C

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000D74BB mouse_event,

3_2_000D74BB

Source: C:\Users\user\Desktop\file.exe

3_2_000CA66C

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000D71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

3_2_000D71FA

Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000B65C4 cpuid

3_2_000B65C4

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000E091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

3_2_000E091D

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_0010B340 GetUserNameW,

3_2_0010B340

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000C1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

3_2_000C1E8E

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_000ADDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

3_2_000ADDC0

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000E8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	3_2_000E8C4F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000E923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	3_2_000E923B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_000C58C5 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,	3_2_000C58C5

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Process Injection	2 Valid Accounts	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Virtualization/Sandbox Evasion	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	55%	ReversingLabs	Win32.Downloader.Seduploader
file.exe	100%	Avira	TR/Dldr.Sednit.qpznx
file.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Antivirus Detection	Reputation
https://46.183.218.37/	file.exe, 00000003.00000002.2537954444.0000000000E20000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://46.183.218.37/community/wiki-self-signed/name-signed.php	file.exe, 00000003.00000003.1803668616.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2538244077.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.2403832167.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1483001479.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.2403629641.0000000000E8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2538171597.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.183.218.37	unknown	Latvia		52048	DATACLUBLV	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522741
Start date and time:	2024-09-30 16:19:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 46 Number of non-executed functions: 319
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
10:20:57	API Interceptor	1x Sleep call for process: file.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DATACLUBLV	POandSpecs.exe	Get hash	malicious	XenoRAT	Browse	84.38.132.74
	hJm4BAWmD2.exe	Get hash	malicious	XenoRAT	Browse	109.248.150.213
	EIirQiZnX9.img	Get hash	malicious	AgentTesla, GuLoader	Browse	109.248.150.159
	17265837652d55c0f124ae83612d8bd5caa1d7f12d178ec09d2162f830ec997362a0f3d454121.dat-decoded.exe	Get hash	malicious	AveMaria, PrivateLoader	Browse	109.248.151.156
	file.exe	Get hash	malicious	GuLoader	Browse	46.183.220.28
	file.exe	Get hash	malicious	GuLoader	Browse	46.183.220.28
	3TpW2Sn68z.exe	Get hash	malicious	Remcos	Browse	84.38.132.103
	1q4wVJgStc.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	46.183.223.107
	nleHhuZy1N.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	46.183.223.107
	Documenti di spedizione 0002838844.exe	Get hash	malicious	AgentTesla	Browse	46.183.223.107

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.547727592288568
TrID:	Win32 Executable (generic) a (10002005/4) 99.70% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	872'448 bytes
MD5:	4140300748e5cf4ebf35d94f2c8623a6
SHA1:	949bb17c71feaba800d5e4a0010b2985c3a06645
SHA256:	a250695f8ca2289a78da279d21d400f3ee2fb0f44642469d44a1c63d5eeeedeb
SHA512:	2146d27b9e1447a529a7c768ff1c2abfe6abc60ed9ca0b21a5d9d6245892cd8217086e3992eaa64c1355d5cc0595096dff99202c056816ee63f3b1842bfc35f8
SSDEEP:	12288:itb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNDPPpHrY/T4AOl6V6A:itb20pkaCqT5TBWgNjVYbtOYV6A
TLSH:	57059E1373DD8360C3B25273BA25B701AEBF782506B5F96B2FD4093DE920162525EA73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x5B39BDFD [Mon Jul 2 05:54:05 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	c1d258acab237961164a925272293413

Entrypoint Preview

Instruction
call 00007FAB04DDDADFh
jmp 00007FAB04DD0AF4h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FAB04DD0C7Ah
cmp edi, eax
jc 00007FAB04DD0FDEh
bt dword ptr [004C0158h], 01h
jnc 00007FAB04DD0C79h
rep movsb
jmp 00007FAB04DD0F8Ch
cmp ecx, 00000080h
jc 00007FAB04DD0E44h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FAB04DD0C80h
bt dword ptr [004BA370h], 01h
jc 00007FAB04DD1150h
bt dword ptr [004C0158h], 00000000h
jnc 00007FAB04DD0E1Dh
test edi, 00000003h
jne 00007FAB04DD0E2Eh
test esi, 00000003h
jne 00007FAB04DD0E0Dh
bt edi, 02h
jnc 00007FAB04DD0C7Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FAB04DD0C83h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FAB04DD0CD5h
bt esi, 03h
jnc 00007FAB04DD0D28h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0xbfa0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	ede9d722bf5e27d1f93aaf9e53240a22	False	0.3183049704038997	data	5.682422502790088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0xbfa0	0xc000	7ff77f9af992352d6b138e92613b9947	False	0.4478963216145833	data	5.989023386014378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x310e	data			1.0008759356585444
RT_GROUP_ICON	0xcf8c8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xcf940	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xcf954	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xcf968	0x14	data	English	Great Britain	1.25
RT_VERSION	0xcf97c	0x274	data	English	Great Britain	0.4968152866242038
RT_MANIFEST	0xcfbf0	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
KERNEL32.DLL	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 16:20:25.963830948 CEST	49713	443	192.168.2.10	46.183.218.37
Sep 30, 2024 16:20:25.963936090 CEST	443	49713	46.183.218.37	192.168.2.10
Sep 30, 2024 16:20:25.964026928 CEST	49713	443	192.168.2.10	46.183.218.37
Sep 30, 2024 16:20:25.965320110 CEST	49713	443	192.168.2.10	46.183.218.37
Sep 30, 2024 16:20:25.965348005 CEST	443	49713	46.183.218.37	192.168.2.10
Sep 30, 2024 16:20:57.954857111 CEST	49713	443	192.168.2.10	46.183.218.37

Target ID:	3
Start time:	10:20:05
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x90000
File size:	872'448 bytes
MD5 hash:	4140300748E5CF4EBF35D94F2C8623A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	106

Executed Functions

Function 00093D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00093AA3,?), ref: 00093D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00093AA3,?), ref: 00093D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00151148,00151130,?,?,?,?,00093AA3,?), ref: 00093DC8

Part of subcall function 00096430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00093DEE,00151148,?,?,?,?,?,00093AA3,?), ref: 00096471

SetCurrentDirectoryW.KERNEL32(?,?,?,00093AA3,?), ref: 00093E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,001428F4,00000010), ref: 00101CCE
SetCurrentDirectoryW.KERNEL32(?,00151148,?,?,?,?,?,00093AA3,?), ref: 00101D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0012DAB4,00151148,?,?,?,?,?,00093AA3,?), ref: 00101D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00093AA3), ref: 00101D90

Part of subcall function 00093E6E: GetSysColorBrush.USER32(0000000F), ref: 00093E79
Part of subcall function 00093E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00093E88
Part of subcall function 00093E6E: LoadIconW.USER32(00000063), ref: 00093E9E
Part of subcall function 00093E6E: LoadIconW.USER32(000000A4), ref: 00093EB0
Part of subcall function 00093E6E: LoadIconW.USER32(000000A2), ref: 00093EC2
Part of subcall function 00093E6E: RegisterClassExW.USER32(?), ref: 00093F30

Part of subcall function 000936B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000936E6
Part of subcall function 000936B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00093707
Part of subcall function 000936B8: ShowWindow.USER32(00000000,?,?,?,?,00093AA3,?), ref: 0009371B
Part of subcall function 000936B8: ShowWindow.USER32(00000000,?,?,?,?,00093AA3,?), ref: 00093724

Part of subcall function 00094FFC: _memset.LIBCMT ref: 00095022
Part of subcall function 00094FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000950CB

Strings

runas, xrefs: 00101D84
This is a third-party compiled AutoIt script., xrefs: 00101CC8

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3287110873
Opcode ID: 5e3cb85d06f9a6c006bf77fea415ba1302479c8db5b1c024bac76b0df07e9d8f
Instruction ID: ab34fbb904f0c7c34622ebb007dcfc2086a6ec8e9b0ac6684556aa7a78dbe577
Opcode Fuzzy Hash: 5e3cb85d06f9a6c006bf77fea415ba1302479c8db5b1c024bac76b0df07e9d8f
Instruction Fuzzy Hash: 9E510631A04349FACF12ABF0EC85EEE7B75AF15705F004065F6516A1E3DB744A89EB21

Function 00093742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.USER32(?,?,?,?), ref: 000937B3
KillTimer.USER32(?,00000001), ref: 000937DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00093800
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0009380B
CreatePopupMenu.USER32 ref: 0009381F
PostQuitMessage.USER32(00000000), ref: 0009382E

Strings

TaskbarCreated, xrefs: 00093806

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 2d82b5559389fbb310c24481517ae731ee3094b9d6e2ec9d214423f258099869
Instruction ID: 63fd4ac0404eafc1438a1c6d76fa5d588acb2de396e6afe47124eba9b02b2a6a
Opcode Fuzzy Hash: 2d82b5559389fbb310c24481517ae731ee3094b9d6e2ec9d214423f258099869
Instruction Fuzzy Hash: 9C4103B5208346BBDF355BA8ED4EBBE7695F704302F404125F902DA5D1CB649E80AF62

Function 000ADDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 000ADDEC
GetCurrentProcess.KERNEL32(00000000,0012DC38,?,?), ref: 000ADEAC
GetNativeSystemInfo.KERNEL32(?,0012DC38,?,?), ref: 000ADF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 000ADF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 000ADF1F
GetSystemInfo.KERNEL32(?,0012DC38,?,?), ref: 000ADF29
GetSystemInfo.KERNEL32(?,0012DC38,?,?), ref: 000ADF35

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 4e4d233ff9e1cce5d5bf672e54bf83ecf71f26d6637e2c50dc405b24da1caea1
Instruction ID: e87aaf4c1cb5a189690c386a9c04a84e26ee7bc9f22b948ad9f70ad4e37fc5fd
Opcode Fuzzy Hash: 4e4d233ff9e1cce5d5bf672e54bf83ecf71f26d6637e2c50dc405b24da1caea1
Instruction Fuzzy Hash: 1D61D5B180A384DFCF15DFA898C51EDBFB46F2A300B1985DAD8859F247C674C948CB65

Function 0009406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0009449E,?,?,00000000,00000001), ref: 0009407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0009449E,?,?,00000000,00000001), ref: 00094092
LoadResource.KERNEL32(?,00000000,?,?,0009449E,?,?,00000000,00000001,?,?,?,?,?,?,000941FB), ref: 00104F1A
SizeofResource.KERNEL32(?,00000000,?,?,0009449E,?,?,00000000,00000001,?,?,?,?,?,?,000941FB), ref: 00104F2F
LockResource.KERNEL32(0009449E,?,?,0009449E,?,?,00000000,00000001,?,?,?,?,?,?,000941FB,00000000), ref: 00104F42

Strings

SCRIPT, xrefs: 00094088

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 9e8b37c2506c825c6de44b79ee5a4292496701f35f91c42721d2dd9d747ae800
Instruction ID: a094afce667df806583b61d1f78b624bac200596707b9b37197fe01bcd5f682b
Opcode Fuzzy Hash: 9e8b37c2506c825c6de44b79ee5a4292496701f35f91c42721d2dd9d747ae800
Instruction Fuzzy Hash: 80118B70200701BFEB258B25EE48F677BB9EBC5B51F20812CF616C66A0DBB1DC41DA20

Function 000A3B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON

Download Yara Rule

Strings

@, xrefs: 000A4176

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @
API String ID: 3728558374-2766056989
Opcode ID: 57359ff80df6f4e34521acb718e23772ae6937f14108a6821e659a7e71caa640
Instruction ID: a0c38f9e70fcbbc96fe49d511adbfe42efb7131772e7258c99f721ddc6b1a8de
Opcode Fuzzy Hash: 57359ff80df6f4e34521acb718e23772ae6937f14108a6821e659a7e71caa640
Instruction Fuzzy Hash: 5172AD74E04209EFDF24DF94C481AEEB7B5EF4A300F14806AF945AB292D771AE45CB91

Function 000A3200 Relevance: 1.0, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 7139f567e8170b75edbfba66d01e89259a27eacd3a5917c83eabeee18dc6e195
Instruction ID: 96dae9d8cbcca61ce8bd3c82a00f8a8d15025c42ae839106b8da00d81f44e33b
Opcode Fuzzy Hash: 7139f567e8170b75edbfba66d01e89259a27eacd3a5917c83eabeee18dc6e195
Instruction Fuzzy Hash: 689268706083419FD724DF58C490B6ABBE1BF8A304F14885DF99A8B3A2D771ED45CB92

Function 0009E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0009E959
timeGetTime.WINMM ref: 0009EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0009ED2E
TranslateMessage.USER32(?), ref: 0009ED3F
DispatchMessageW.USER32(?), ref: 0009ED4A
LockWindowUpdate.USER32(00000000), ref: 0009ED79
DestroyWindow.USER32 ref: 0009ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0009ED9F
Sleep.KERNEL32(0000000A), ref: 00105270
TranslateMessage.USER32(?), ref: 001059F7
DispatchMessageW.USER32(?), ref: 00105A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00105A19

Strings

@GUI_CTRLID, xrefs: 00105314
@GUI_WINHANDLE, xrefs: 00105360
@GUI_CTRLHANDLE, xrefs: 001053AC
@TRAY_ID, xrefs: 001054C9

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 2f4bf8ddac0eb3f3e31fc736d647911ef07c1249b44f9119d334ff136af6cd2b
Instruction ID: 62f4565f8dce95e59a72775b95fdcbebe8c51ac8bf7ac8ad6dc6a2ed0399f06f
Opcode Fuzzy Hash: 2f4bf8ddac0eb3f3e31fc736d647911ef07c1249b44f9119d334ff136af6cd2b
Instruction Fuzzy Hash: 4F62AF70508780DFEB24DF64C885BAA77E5BF44304F18496DF9868B2D2DBB19C84DB62

Function 000C5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 000C5EC3
___createFile.LIBCMT ref: 000C5F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 000C5F2D
__dosmaperr.LIBCMT ref: 000C5F34
GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 000C5F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 000C5F6A
__dosmaperr.LIBCMT ref: 000C5F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 000C5F7C
__set_osfhnd.LIBCMT ref: 000C5FAC
__lseeki64_nolock.LIBCMT ref: 000C6016
__close_nolock.LIBCMT ref: 000C603C
__chsize_nolock.LIBCMT ref: 000C606C
__lseeki64_nolock.LIBCMT ref: 000C607E
__lseeki64_nolock.LIBCMT ref: 000C6176
__lseeki64_nolock.LIBCMT ref: 000C618B
__close_nolock.LIBCMT ref: 000C61EB

Part of subcall function 000BEA9C: CloseHandle.KERNEL32(00000000,0013EEF4,00000000,?,000C6041,0013EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000BEAEC
Part of subcall function 000BEA9C: GetLastError.KERNEL32(?,000C6041,0013EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000BEAF6
Part of subcall function 000BEA9C: __free_osfhnd.LIBCMT ref: 000BEB03
Part of subcall function 000BEA9C: __dosmaperr.LIBCMT ref: 000BEB25

Part of subcall function 000B7C0E: __getptd_noexit.LIBCMT ref: 000B7C0E

__lseeki64_nolock.LIBCMT ref: 000C620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 000C6342
___createFile.LIBCMT ref: 000C6361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000C636E
__dosmaperr.LIBCMT ref: 000C6375
__free_osfhnd.LIBCMT ref: 000C6395
__invoke_watson.LIBCMT ref: 000C63C3
__wsopen_helper.LIBCMT ref: 000C63DD

Strings

@, xrefs: 000C5F98

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: e2f1b4832f0f3b5ffc82ffed06750b70e3ff4dee153c27fb8b4f7ff4a6ea693b
Instruction ID: 51607f3911bcb2b9d9ab1add99240173bc42e3117355b1b193dd3d965d6d1e11
Opcode Fuzzy Hash: e2f1b4832f0f3b5ffc82ffed06750b70e3ff4dee153c27fb8b4f7ff4a6ea693b
Instruction Fuzzy Hash: C72226759006069FEB399F68CC45FFD7BA1EB44315F28422DE922AB2E2C7369D80C751

Function 000D6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?), ref: 000D6CFB
GetFileVersionInfoW.KERNELBASE(?,00000000,00000000,00000000,?,?), ref: 000D6D21
_wcscpy.LIBCMT ref: 000D6D4F
_wcscmp.LIBCMT ref: 000D6D5A
_wcscat.LIBCMT ref: 000D6D70
_wcsstr.LIBCMT ref: 000D6D7B
754B1560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 000D6D97
_wcscat.LIBCMT ref: 000D6DE0
_wcscat.LIBCMT ref: 000D6DE7
_wcsncpy.LIBCMT ref: 000D6E12

Strings

\VarFileInfo\Translation, xrefs: 000D6D8F
%u.%u.%u.%u, xrefs: 000D6E75
StringFileInfo\, xrefs: 000D6D6A
DefaultLangCodepage, xrefs: 000D6DFA
04090000, xrefs: 000D6DCD

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$B1560Size_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 398981869-1459072770
Opcode ID: c7094795ae3e721c907badb06ae1efa4db63710f87e3930a1b41b81017840d50
Instruction ID: 0d47e47adaa76aa7d631d47c7413be940260e139dfb3af24194b231a23dfd03b
Opcode Fuzzy Hash: c7094795ae3e721c907badb06ae1efa4db63710f87e3930a1b41b81017840d50
Instruction Fuzzy Hash: 9441E672A00301BBEB10ABB4EC47EFF77BCDF45710F44002AF901A2293EB759A1196A1

Function 00093F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00093F86
RegisterClassExW.USER32(00000030), ref: 00093FB0
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00093FC1
6FC833E0.COMCTL32(?), ref: 00093FDE
6FC92980.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00093FEE
LoadIconW.USER32(000000A9), ref: 00094004
6FC8C400.COMCTL32(000000FF,00000000), ref: 00094013

Strings

TaskbarCreated, xrefs: 00093FB6
+, xrefs: 00093F6F
0, xrefs: 00093F68
AutoIt v3 GUI, xrefs: 00093FA2

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Register$BrushC400C833C92980ClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 986776171-1005189915
Opcode ID: 12fd99c8bdbc86001bed0bba851dbac95757487c13fc84e7f63bde62a9d7a5a7
Instruction ID: 99a7b48965b717e7c134a9e1546c479c54513f3ac3c025d8aa90d1e925e856ea
Opcode Fuzzy Hash: 12fd99c8bdbc86001bed0bba851dbac95757487c13fc84e7f63bde62a9d7a5a7
Instruction Fuzzy Hash: 5B21C4B5900318EFDB01DFA4E989BCDBBB4FB08705F00821AFA15AA6A0D7B44584CF91

Function 00093E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00093E79
LoadCursorW.USER32(00000000,00007F00), ref: 00093E88
LoadIconW.USER32(00000063), ref: 00093E9E
LoadIconW.USER32(000000A4), ref: 00093EB0
LoadIconW.USER32(000000A2), ref: 00093EC2

Part of subcall function 00094024: LoadImageW.USER32(00090000,00000063,00000001,00000010,00000010,00000000), ref: 00094048

RegisterClassExW.USER32(?), ref: 00093F30

Part of subcall function 00093F53: GetSysColorBrush.USER32(0000000F), ref: 00093F86
Part of subcall function 00093F53: RegisterClassExW.USER32(00000030), ref: 00093FB0
Part of subcall function 00093F53: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00093FC1
Part of subcall function 00093F53: 6FC833E0.COMCTL32(?), ref: 00093FDE
Part of subcall function 00093F53: 6FC92980.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00093FEE
Part of subcall function 00093F53: LoadIconW.USER32(000000A9), ref: 00094004
Part of subcall function 00093F53: 6FC8C400.COMCTL32(000000FF,00000000), ref: 00094013

Strings

0, xrefs: 00093F02
#, xrefs: 00093F09
AutoIt v3, xrefs: 00093F1F

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$C400C833C92980ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 450519864-4155596026
Opcode ID: 5f206c0e0eb6bbce63eb96222462c98825163a6c2d3b174dcd7d7ca68215c9b5
Instruction ID: e60d3dad4500c6dfd8da7fabb1917cd5e17a72eb3b7b43e70cdd786017ad58a6
Opcode Fuzzy Hash: 5f206c0e0eb6bbce63eb96222462c98825163a6c2d3b174dcd7d7ca68215c9b5
Instruction Fuzzy Hash: 93213BB0D00304EBCB159FA9ED89B9DBBB5BB48315F00816AE214AA6A0D77546808F91

Function 000EDA0E Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 621COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 000EDAD4

Strings

@, xrefs: 000EDB12
N, xrefs: 000EDAFD
OGN@, xrefs: 000EDF8F
GN@, xrefs: 000EDF89
H, xrefs: 000EDB19

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: __itow_s
String ID: @$GN@$H$N$OGN@
API String ID: 3653519197-213565942
Opcode ID: 3eacbd90f3b907f18d641a4df59830cf0eedb1049f5d2d6ab85c9f622ec59d93
Instruction ID: 4eef5d496fdc38b796935ba814e7f7ca298047d68a3821bfd949706bac2a967e
Opcode Fuzzy Hash: 3eacbd90f3b907f18d641a4df59830cf0eedb1049f5d2d6ab85c9f622ec59d93
Instruction Fuzzy Hash: 4F327171A04289AFDF24DFA5C880EEDB7F5FF18300F14846AE555AB292D771AD81CB50

Function 00092322 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000922A4: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00092303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000925A1
CoInitialize.OLE32(00000000), ref: 00092618
CloseHandle.KERNEL32(00000000), ref: 0010503A

Strings

`, xrefs: 0009238E
hL, xrefs: 000923CD
H , xrefs: 00092398
pg, xrefs: 000924C1

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Handle$ClipboardCloseFormatInitializeRegister
String ID: H $`$hL$pg
API String ID: 458326420-3230344249
Opcode ID: 1ead212b206de2b546eba429feab7eb34a159814e8871acb0a44af1c9a91c9dd
Instruction ID: 1db860a1d8597934b551d52920e2cc828d22cdaf8c3d4d6ad15baa3ca4dceefd
Opcode Fuzzy Hash: 1ead212b206de2b546eba429feab7eb34a159814e8871acb0a44af1c9a91c9dd
Instruction Fuzzy Hash: 1D71EFB4901341FFC706EF6AA990794BBA4B759342BA0466ED41ADFF72DB700884CF15

Function 000949FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00094A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001041DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0010421A
RegCloseKey.ADVAPI32(?), ref: 00104249

Strings

Include, xrefs: 001041D3, 00104212
Software\AutoIt v3\AutoIt, xrefs: 00094A13

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: a876d591d132f1d702d3f1063df256fd9e1e99091a497b9d68d7b6a92619a5e9
Instruction ID: 5e681d45919a5adb2262eb6c64edebe9780e95608ebea424309c8b90b15a6438
Opcode Fuzzy Hash: a876d591d132f1d702d3f1063df256fd9e1e99091a497b9d68d7b6a92619a5e9
Instruction Fuzzy Hash: 04113DB1600119BFEB04ABA4EE86DFF7BBCEF09344F004059B506D6191EB70AE52AB50

Function 000936B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000936E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00093707
ShowWindow.USER32(00000000,?,?,?,?,00093AA3,?), ref: 0009371B
ShowWindow.USER32(00000000,?,?,?,?,00093AA3,?), ref: 00093724

Strings

edit, xrefs: 00093701
AutoIt v3, xrefs: 000936DE, 000936E3, 000936E4

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 4e53b5448f709af3d4a3e6f61629d8895d5966ed831cd2c09a17dc3194dbbfbc
Instruction ID: 1734881735aa88c383c1e7c56d599ecab30889c79eafaf7ccd37d0e5c1f34adc
Opcode Fuzzy Hash: 4e53b5448f709af3d4a3e6f61629d8895d5966ed831cd2c09a17dc3194dbbfbc
Instruction Fuzzy Hash: C0F0B775540390BAE7225B57BC08F673E7DE7C6F25B00411ABA04AA5E0C66508D5DAB0

Function 000951AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0009522F
_wcscpy.LIBCMT ref: 00095283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00095293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00103CB0

Strings

Line: , xrefs: 00103CD9

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: f2be0b255e6d45b375b23fb2fe634bfbf0db6756195b51d3417a17ae7e140422
Instruction ID: 9eaec2b813350322fac1ef7a9d2c5c2a3f962c4693f7afb11ede5eb768ab7e2b
Opcode Fuzzy Hash: f2be0b255e6d45b375b23fb2fe634bfbf0db6756195b51d3417a17ae7e140422
Instruction Fuzzy Hash: 2B31E071008740AFDB26EB60EC42FDFB7D8AF44301F00451EF599960D2EB70A688DB92

Function 000DDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00000001), ref: 000DDB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 000DDB5E
__swprintf.LIBCMT ref: 000DDB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0012DC00), ref: 000DDBB5

Strings

%lu, xrefs: 000DDB71

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: a8ee035b7ad3e4efa18ec8097818c2175d1e548f2da9d1579c286961b7ac4dbd
Instruction ID: c5e2ece7acfbe8d3c9925aad5faad5dece6061e5507bba1517c7cd7b8ad0a055
Opcode Fuzzy Hash: a8ee035b7ad3e4efa18ec8097818c2175d1e548f2da9d1579c286961b7ac4dbd
Instruction Fuzzy Hash: 5821B035A00208AFCB14EFA4DD85DEEBBB8EF49704B10406AF509E7352DB71EA41DB60

Function 00094139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000941A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,000939FE,?,00000001), ref: 000941DB

_free.LIBCMT ref: 001036B7
_free.LIBCMT ref: 001036FE

Part of subcall function 0009C833: __wsplitpath.LIBCMT ref: 0009C93E
Part of subcall function 0009C833: _wcscpy.LIBCMT ref: 0009C953
Part of subcall function 0009C833: _wcscat.LIBCMT ref: 0009C968
Part of subcall function 0009C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0009C978

Strings

Bad directive syntax error, xrefs: 001036E4
>>>AUTOIT SCRIPT<<<, xrefs: 00103491

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: bf82924032525a6aa629b1ac9143ee34cb4238b2db6ba7ae7fd0dbdf26deabb1
Instruction ID: c55e7e5649498eb54eb4c55e7aa0e6e4144d56aa24ccfea919b855f99e3afcd5
Opcode Fuzzy Hash: bf82924032525a6aa629b1ac9143ee34cb4238b2db6ba7ae7fd0dbdf26deabb1
Instruction Fuzzy Hash: 55919371910219AFCF04EFA4DC51DEDB7B8BF19310F10442AF466AB2D2DB719A45DB50

Function 00094A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00095374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00151148,?,000961FF,?,00000000,00000001,00000000), ref: 00095392

Part of subcall function 000949FB: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00094A1D

_wcscat.LIBCMT ref: 00102D80
_wcscat.LIBCMT ref: 00102DB5

Strings

\, xrefs: 00102DA2
\Include\, xrefs: 00094B0A

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: \$\Include\
API String ID: 3592542968-2640467822
Opcode ID: 564d82335585688596e3782bba2ec9832daec83f7ce5806e7a8903dfe257296d
Instruction ID: caa5785f4819abbbdf48a27e78d53c15381c7dadaeebc5b44ad1a8dea1efb566
Opcode Fuzzy Hash: 564d82335585688596e3782bba2ec9832daec83f7ce5806e7a8903dfe257296d
Instruction Fuzzy Hash: 8A51A173404740DBC704EFA5E9C18DBB7F4BF5A301B40452EF6849B6A2EB709A88CB52

Function 000B34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 000B34FE

Part of subcall function 000B7C0E: __getptd_noexit.LIBCMT ref: 000B7C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 000B3539
__wopenfile.LIBCMT ref: 000B3549

Strings

<G, xrefs: 000B34CD, 000B34F0, 000B34FC

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 117de48be5ee7300367d4fa784f0ead0a09f6819ccbbb79a7201d053bccb4754
Instruction ID: 43393e63ab54794133f2b3e53c33f57684a68135675e4cb0626332cdf9a84198
Opcode Fuzzy Hash: 117de48be5ee7300367d4fa784f0ead0a09f6819ccbbb79a7201d053bccb4754
Instruction Fuzzy Hash: BB11CA70A00206DFDB71BF748C426EE36E4EF45750B258529E419D7282EB34DE4197B1

Function 000AD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,000AD28B,SwapMouseButtons,00000004,?), ref: 000AD2BC
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,000AD28B,SwapMouseButtons,00000004,?,?,?,?,000AC865), ref: 000AD2DD
RegCloseKey.KERNEL32(00000000,?,?,000AD28B,SwapMouseButtons,00000004,?,?,?,?,000AC865), ref: 000AD2FF

Strings

Control Panel\Mouse, xrefs: 000AD2BA

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9f1e5974ea70c6366257b40678c6d3b379d4b3e5b0af780c5de7ca25347713ab
Instruction ID: e6f29a5f0385bd31b497bb0078bd50482f077cd3d914e3000bf1a2eb8a8da602
Opcode Fuzzy Hash: 9f1e5974ea70c6366257b40678c6d3b379d4b3e5b0af780c5de7ca25347713ab
Instruction Fuzzy Hash: 1B112776611218BFDF208FA4DC84EEE7BB8EF49744B10856AB806D7510E671AE419B60

Function 000DC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00094517: _fseek.LIBCMT ref: 0009452F

Part of subcall function 000DC56D: _wcscmp.LIBCMT ref: 000DC65D
Part of subcall function 000DC56D: _wcscmp.LIBCMT ref: 000DC670

_free.LIBCMT ref: 000DC4DD
_free.LIBCMT ref: 000DC4E4
_free.LIBCMT ref: 000DC54F

Part of subcall function 000B1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,000B7A85), ref: 000B1CB1
Part of subcall function 000B1C9D: GetLastError.KERNEL32(00000000,?,000B7A85), ref: 000B1CC3

_free.LIBCMT ref: 000DC557

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: b1dea307d073de71f2e22dcc08edb3c50191e9812145a8ddd3b93ebd22d983e9
Instruction ID: e1bdbde246c2a33fc163cac71d8f249135287fb7785e8061957dce2e15482675
Opcode Fuzzy Hash: b1dea307d073de71f2e22dcc08edb3c50191e9812145a8ddd3b93ebd22d983e9
Instruction Fuzzy Hash: 6C5130B1904219AFDF159F64DC81BEEBBB9EF48300F10009EB259A7252DB715A80CF59

Function 000AEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000AEBB2

Part of subcall function 000951AF: _memset.LIBCMT ref: 0009522F
Part of subcall function 000951AF: _wcscpy.LIBCMT ref: 00095283
Part of subcall function 000951AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00095293

KillTimer.USER32(?,00000001,?,?), ref: 000AEC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000AEC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00103C88

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: e124b6e1f4121ee8bf500fb874f774ab92897a07698657e90670b84b4700d953
Instruction ID: 6f0b3581a77e3326a26188599156ba6a968a87d82bb0ad86926276e3d05d8de9
Opcode Fuzzy Hash: e124b6e1f4121ee8bf500fb874f774ab92897a07698657e90670b84b4700d953
Instruction Fuzzy Hash: BC210A70504784AFF7379724CD59BEBBBEC9B01318F04048EE29A96182C3B02A85CB11

Function 000940E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00103725
7574D0D0.COMDLG32 ref: 0010376F

Part of subcall function 0009660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000953B1,?,?,000961FF,?,00000000,00000001,00000000), ref: 0009662F

Part of subcall function 000940A7: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 000940C6

Strings

X, xrefs: 0010373E

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: NamePath$7574FullLong_memset
String ID: X
API String ID: 3399031285-3081909835
Opcode ID: 2abba4d2bd53dbeaa65a6b2c121a82a8c91c4a64a2daa0bc9b385d8fd9c24118
Instruction ID: 7ec31a05098f19e4800be2c5591a42fe3d569e031380ddd5f3e17716beb3bfdd
Opcode Fuzzy Hash: 2abba4d2bd53dbeaa65a6b2c121a82a8c91c4a64a2daa0bc9b385d8fd9c24118
Instruction Fuzzy Hash: 8321A871A102589BCF11DF98DC45BDEBBF89F49304F004059E415B7281DBB45A899F65

Function 000EF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c42663dd055e9638037ad69846b33d9d6be7a299606e39fdfce328449ade4d9
Instruction ID: 79112326edf4dd4929b12825b39ef3993d4627f15237ec9e7e77d8c77b855738
Opcode Fuzzy Hash: 4c42663dd055e9638037ad69846b33d9d6be7a299606e39fdfce328449ade4d9
Instruction Fuzzy Hash: 64F16D716083429FCB14DF25C881BAEB7E5BF88314F14892EF9959B392D771E905CB82

Function 00094FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00095022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 000950CB

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 7609abd466d8cff66b340315028ea4ba6cc78035c7f765a6f7f2d3bfc9ca8ce2
Instruction ID: 3c648499732931892c8b40c84228d05b1a72bb62ea31672d306776f2dd4c481e
Opcode Fuzzy Hash: 7609abd466d8cff66b340315028ea4ba6cc78035c7f765a6f7f2d3bfc9ca8ce2
Instruction Fuzzy Hash: E13180B0504B01DFD762DF25D84569BBBE8FF8830AF00092EF59A86641E771A984CB92

Function 000B395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 000B3973

Part of subcall function 000B81C2: __NMSG_WRITE.LIBCMT ref: 000B81E9
Part of subcall function 000B81C2: __NMSG_WRITE.LIBCMT ref: 000B81F3

__NMSG_WRITE.LIBCMT ref: 000B397A

Part of subcall function 000B821F: GetModuleFileNameW.KERNEL32(00000000,00150312,00000104,00000000,00000001,00000000), ref: 000B82B1
Part of subcall function 000B821F: ___crtMessageBoxW.LIBCMT ref: 000B835F

Part of subcall function 000B1145: ___crtCorExitProcess.LIBCMT ref: 000B114B
Part of subcall function 000B1145: ExitProcess.KERNEL32 ref: 000B1154

Part of subcall function 000B7C0E: __getptd_noexit.LIBCMT ref: 000B7C0E

RtlAllocateHeap.NTDLL(00DF0000,00000000,00000001,00000001,00000000,?,?,000AF507,?,0000000E), ref: 000B399F

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: d65c7e4cab76c617c4a9c4532216f01490745c43c70469c2cdac8acc154ffa7e
Instruction ID: e7710b631ecfa232bb9f9feba9d6d5eddacec091e73b5bf0ee32c67928ce4036
Opcode Fuzzy Hash: d65c7e4cab76c617c4a9c4532216f01490745c43c70469c2cdac8acc154ffa7e
Instruction Fuzzy Hash: D401F531385301DAE6663B68EC52BEE3388DB81724F70013DF509DB293DFB09D4086A0

Function 000DBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000DBB72

Part of subcall function 000B1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,000B7A85), ref: 000B1CB1
Part of subcall function 000B1C9D: GetLastError.KERNEL32(00000000,?,000B7A85), ref: 000B1CC3

_free.LIBCMT ref: 000DBB83
_free.LIBCMT ref: 000DBB95

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
Instruction ID: a3e918abfdd8f6995a4604b0ee878ccc042651807e0f79eaa5be54c4493c7df5
Opcode Fuzzy Hash: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
Instruction Fuzzy Hash: CAE0C7B1200B0082CA20A638AE48EF327CC0F043A1B04080FB429E3283CF60E84088B8

Function 000DF967 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 000DF9D1

Strings

0.0.0.0, xrefs: 000DF9DF

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _wcscmp
String ID: 0.0.0.0
API String ID: 856254489-3771769585
Opcode ID: 05b6997522a77b8843ac07bf8041ac3dbfc08cfcdca6671ddde183093e50a9e1
Instruction ID: 7db5414bd08d0fe2ead6fa230294156be8570bb41aafbb2b65e29c4faca8eb3f
Opcode Fuzzy Hash: 05b6997522a77b8843ac07bf8041ac3dbfc08cfcdca6671ddde183093e50a9e1
Instruction Fuzzy Hash: B611B235604305ABCF14DF58E592EADB3B5AB45710B10C06EF546AF392CA71EE41DB60

Function 000F0828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 000F08FD

Part of subcall function 0009936C: __swprintf.LIBCMT ref: 000993AB
Part of subcall function 0009936C: __itow.LIBCMT ref: 000993DF

_wcscpy.LIBCMT ref: 000F098C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 1500279ef9561e8b4463b41a3b5ea364ca557fc4797f026e9624efb04e5d1965
Instruction ID: b312d22805a83b436333fdd37361ca5f013f93dee958fef73b1736720a3e5896
Opcode Fuzzy Hash: 1500279ef9561e8b4463b41a3b5ea364ca557fc4797f026e9624efb04e5d1965
Instruction Fuzzy Hash: 1A914834A00609DFCB28DF28C4919ADB7E5FF59310B55806AE91A8F7A3DB31ED01DB81

Function 00093A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

74D2C8D0.UXTHEME ref: 00093A73

Part of subcall function 000B1405: __lock.LIBCMT ref: 000B140B

Part of subcall function 00093ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00093AF3
Part of subcall function 00093ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00093B08

Part of subcall function 00093D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00093AA3,?), ref: 00093D45
Part of subcall function 00093D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00093AA3,?), ref: 00093D57
Part of subcall function 00093D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00151148,00151130,?,?,?,?,00093AA3,?), ref: 00093DC8
Part of subcall function 00093D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00093AA3,?), ref: 00093E48

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00093AB3

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
String ID:
API String ID: 3809921791-0
Opcode ID: 1e19d2026dbafe7a4e8ff8413722b99e210804fdda71a8f0be5e7c6fd4a29734
Instruction ID: 7ae6e3d99ec6f721e5bf180da2da4cedfb7b4f6dc1a854eb5bc35fb1d78994b7
Opcode Fuzzy Hash: 1e19d2026dbafe7a4e8ff8413722b99e210804fdda71a8f0be5e7c6fd4a29734
Instruction Fuzzy Hash: B4119071504341EFC701EF69EC45A8EBBE8FB95721F00891EF5848B6A2DB709584CF92

Function 000BE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 000BEA29
__close_nolock.LIBCMT ref: 000BEA42

Part of subcall function 000B7BDA: __getptd_noexit.LIBCMT ref: 000B7BDA

Part of subcall function 000B7C0E: __getptd_noexit.LIBCMT ref: 000B7C0E

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 8b327fcd5a44a0136ad0d44f862a0c257b64d384803121c31195fbcd9592a908
Instruction ID: 51e9e33c4595e162d6ac971c230febe4bdfc664791633b6bd8ef2175425b9ddb
Opcode Fuzzy Hash: 8b327fcd5a44a0136ad0d44f862a0c257b64d384803121c31195fbcd9592a908
Instruction Fuzzy Hash: 6D11A972505690CED722BF64C8417DC7AA56F82336F264344E4285F1F3CBB8AC408BA2

Function 000AF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 000B395C: __FF_MSGBANNER.LIBCMT ref: 000B3973
Part of subcall function 000B395C: __NMSG_WRITE.LIBCMT ref: 000B397A
Part of subcall function 000B395C: RtlAllocateHeap.NTDLL(00DF0000,00000000,00000001,00000001,00000000,?,?,000AF507,?,0000000E), ref: 000B399F

std::exception::exception.LIBCMT ref: 000AF51E
__CxxThrowException@8.LIBCMT ref: 000AF533

Part of subcall function 000B6805: RaiseException.KERNEL32(?,?,0000000E,00146A30,?,?,?,000AF538,0000000E,00146A30,?,00000001), ref: 000B6856

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 6574169aff35560cb16f6d203d85c1b8de98a746d9d5b530d59cda37262e9cc9
Instruction ID: 3474a1537683f6704f53046a9ac9f919240d83f26117c83ed6a8e1cd087ee5d6
Opcode Fuzzy Hash: 6574169aff35560cb16f6d203d85c1b8de98a746d9d5b530d59cda37262e9cc9
Instruction Fuzzy Hash: C7F0A43150421E67D704FFE8F9019EE77E89F05354F604135FA04A2182DFB1968487A6

Function 000B35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000B7C0E: __getptd_noexit.LIBCMT ref: 000B7C0E

__lock_file.LIBCMT ref: 000B3629

Part of subcall function 000B4E1C: __lock.LIBCMT ref: 000B4E3F

__fclose_nolock.LIBCMT ref: 000B3634

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 314f0ca3e78c2bb340c91027c6105a537e4ae3ee12e73437028141b9153d90a0
Instruction ID: ce00a30a606ef05fa9bd1a899a8eb3378018d86b6d304d3a935286fda32617e4
Opcode Fuzzy Hash: 314f0ca3e78c2bb340c91027c6105a537e4ae3ee12e73437028141b9153d90a0
Instruction Fuzzy Hash: D2F0B431941A04AADB217B6588027EE7BE06F51334F35C108E424BB2D3CB7C9B019F56

Function 000AE8A2 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000AE8BE

Part of subcall function 0009E8D0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0009E959

Sleep.KERNEL32(00000000), ref: 00106C27

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID:
API String ID: 1792118007-0
Opcode ID: 76e45683ce10205ec554d3e86d1ce973fdd54f1283d141c4f1c6807263e2d11d
Instruction ID: c566d402088a4c26c4c0524141f3a3843f24bd8063ff26d62dd04e17a1666f8a
Opcode Fuzzy Hash: 76e45683ce10205ec554d3e86d1ce973fdd54f1283d141c4f1c6807263e2d11d
Instruction Fuzzy Hash: EAF0EC302002049FC354EFA8D805B96BBE9FF18791F00042AF81EC7291CBB0A800EB90

Function 00093847 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00093873
Shell_NotifyIconW.SHELL32(00000002,?), ref: 000938A3

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 39ddb6c10859be80e82b32a311acdbb0c1d470fd600ead3df44bd6e2ff549c68
Instruction ID: e4d36229fa147035c73cfaaec9d8ed43293836a951b2be559fa9d037cdf371cc
Opcode Fuzzy Hash: 39ddb6c10859be80e82b32a311acdbb0c1d470fd600ead3df44bd6e2ff549c68
Instruction Fuzzy Hash: 07F012709043489FD753DB64DC057D67BACAB0030CF0001A5A6499A596D77097C4CF55

Function 0009E8A0 Relevance: 1.7, APIs: 1, Instructions: 210windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0009E959

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: f794a2d539def1ff9363c3d24c38dee43d234604a6fba6cd1a93cb50047bd856
Instruction ID: daf2cd6f8888d8f268c50e8d0c36d19856c20b5dc9617335f166a695c3a12fac
Opcode Fuzzy Hash: f794a2d539def1ff9363c3d24c38dee43d234604a6fba6cd1a93cb50047bd856
Instruction Fuzzy Hash: FA81B5718087C09FEF26CF24C4857AA7BD1BB56304F08497AD8C58B2A2E3B59C85DF52

Function 000F040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000F0519

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 71ea99dbe1fcca3e5bd23dadb32d845b59114fac13b9bc1266ec42f7503bf0c7
Instruction ID: 30d2bd8431f4bff4809fb61eaad94beea1599423f82008693e1a69a3d27f8e0d
Opcode Fuzzy Hash: 71ea99dbe1fcca3e5bd23dadb32d845b59114fac13b9bc1266ec42f7503bf0c7
Instruction Fuzzy Hash: D031D075200A28DFCF11AF00C4806BEBBB0FF49720F10845AEA951B783E7B4A905DF81

Function 00109A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00109A80

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8325e24c7d4c77ed0658267bfc5cef97f9591682b99337c095d038f2dfc69914
Instruction ID: 0565f009fd45646777bbae5c0ed2e18057480c4389f4edbd53fd9559a5f5705f
Opcode Fuzzy Hash: 8325e24c7d4c77ed0658267bfc5cef97f9591682b99337c095d038f2dfc69914
Instruction Fuzzy Hash: 91415C74504651CFDB24CF68C484B1ABBE1BF86314F1989ACE99A4B362C372F885CF52

Function 000941A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00094214: FreeLibrary.KERNEL32(00000000,?), ref: 00094247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,000939FE,?,00000001), ref: 000941DB

Part of subcall function 00094291: FreeLibrary.KERNEL32(00000000), ref: 000942C4

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: c5e97cddf464207ce78670bf95b64f5a68510badd528ee304eef699b07f43b4a
Instruction ID: c11b1087c52bf658fd1a7df093e52c6326a27c10f02c6a1ce4b5fe2121fe2388
Opcode Fuzzy Hash: c5e97cddf464207ce78670bf95b64f5a68510badd528ee304eef699b07f43b4a
Instruction Fuzzy Hash: E211A331600306ABDF24AB74DD06FDE77E9AF40704F508429F996AA1C2DB709A06AB60

Function 00109B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00109B51

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 29f208ecf4db4a8eff3f7676f517177e82304a75740d04fade9617aed8f461ce
Instruction ID: a0ac5749620e8b1ce9c4053dae629c87bc6afa08d98da0904e3dd09a26fe8e34
Opcode Fuzzy Hash: 29f208ecf4db4a8eff3f7676f517177e82304a75740d04fade9617aed8f461ce
Instruction Fuzzy Hash: 7F216970508705CFDB24DFA4C444B6ABBE1BF86304F14496CE6964B662C772F845CF52

Function 000F11F4 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?), ref: 000F120F

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7afa4acc564429bd6de53d8de01d8f7da7f764e0e577c8c1c0b778b6ba56dab8
Instruction ID: ac71de67eaa71d59a9d7ec7c2a9a9439107bb1c5fe7c2cdddb10f4860a7e44c2
Opcode Fuzzy Hash: 7afa4acc564429bd6de53d8de01d8f7da7f764e0e577c8c1c0b778b6ba56dab8
Instruction Fuzzy Hash: 6711C136201218DFDF54DF98C4809ED77E6FF59320B05816AED55CB752CB30AD409B91

Function 000939DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
Instruction ID: de0b0c79db38c661d798380570bdc5f869419a4a39e47a75a9e4bf4f6701029f
Opcode Fuzzy Hash: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
Instruction Fuzzy Hash: FC01313150110EAECF05EFA4C892CEEBB74AF21344F50802AF566971A6EA309A49DF60

Function 00094252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,000939FE,?,00000001), ref: 00094286

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: af2023e15a51dbef78c10a67dfe975d26bc3ecd731b9787ade4040b4cc243c8d
Instruction ID: 7f6514e2b966230ad1643a0bc27ba652457fb53fc53044d9914f7563ffa86051
Opcode Fuzzy Hash: af2023e15a51dbef78c10a67dfe975d26bc3ecd731b9787ade4040b4cc243c8d
Instruction Fuzzy Hash: 97F03971505712DFCF749F64E890C56BBE4BF043253658A3EF1D682610C732A980EF50

Function 000940A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 000940C6

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: f77e571338a4cefec2984db1abdb367c32912bdd3eaa786591c45f4e76107c7e
Instruction ID: a85bf852ef09158765d4f6c481eb360d5490582483a580a3001e35a65bfee676
Opcode Fuzzy Hash: f77e571338a4cefec2984db1abdb367c32912bdd3eaa786591c45f4e76107c7e
Instruction Fuzzy Hash: 20E072326002282BCB11A258CC42FFA33ACDF886A0F0900B1F908E3204DE64A9C08A90

Function 0010AE4A Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 0010AE5C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 05b1819ede3f5b271a11b2b0d251f0876a6f99f9111ca7d2831d128ee40d4d53
Instruction ID: 46a6356a425032fc1d0be23493f7a1d1393731b50a9b10154cfbdbce119b4e5a
Opcode Fuzzy Hash: 05b1819ede3f5b271a11b2b0d251f0876a6f99f9111ca7d2831d128ee40d4d53
Instruction Fuzzy Hash: 84C04CB140111D9FD755CBC0DA449EE77BCAB04301F114051D145F2150D7709B849B62

Non-executed Functions

Function 000FF7FF Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 630windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

NtdllDialogWndProc_W.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 000FF87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000FF8DC
GetWindowLongW.USER32(?,000000F0), ref: 000FF919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000FF940
SendMessageW.USER32 ref: 000FF966
_wcsncpy.LIBCMT ref: 000FF9D2
GetKeyState.USER32(00000011), ref: 000FF9F3
GetKeyState.USER32(00000009), ref: 000FFA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000FFA16
GetKeyState.USER32(00000010), ref: 000FFA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000FFA4F
SendMessageW.USER32 ref: 000FFA72
SendMessageW.USER32(?,00001030,?,000FE059), ref: 000FFB6F
6FCFCB00.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 000FFB85
6FCFC2F0.COMCTL32(00000000,000000F8,000000F0), ref: 000FFB96
SetCapture.USER32(?), ref: 000FFB9F
ClientToScreen.USER32(?,?), ref: 000FFC03
6FCFC530.COMCTL32(00000000,?,?), ref: 000FFC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 000FFC29
ReleaseCapture.USER32 ref: 000FFC34
GetCursorPos.USER32(?), ref: 000FFC69
ScreenToClient.USER32(?,?), ref: 000FFC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 000FFCD8
SendMessageW.USER32 ref: 000FFD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 000FFD41
SendMessageW.USER32 ref: 000FFD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000FFD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 000FFD8F
GetCursorPos.USER32(?), ref: 000FFDB0
ScreenToClient.USER32(?,?), ref: 000FFDBD
GetParent.USER32(?), ref: 000FFDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 000FFE3F
SendMessageW.USER32 ref: 000FFE6F
ClientToScreen.USER32(?,?), ref: 000FFEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 000FFEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 000FFF19
SendMessageW.USER32 ref: 000FFF3C
ClientToScreen.USER32(?,?), ref: 000FFF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 000FFFB6
GetWindowLongW.USER32(?,000000F0), ref: 0010004B

Strings

F, xrefs: 000FFF42
@GUI_DRAGID, xrefs: 000FFBCC
8k, xrefs: 000FFB37

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$C530DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: 8k$@GUI_DRAGID$F
API String ID: 769010159-2369311935
Opcode ID: 0b265cc6b49346a6e55d138589ffb3507a073fd5bc7dbb1f2de3d301bdfa2848
Instruction ID: 9846f33a8e1d999096639c6d1fa4f2a093ad7e0f16b64b545b958c33ddf5e0e4
Opcode Fuzzy Hash: 0b265cc6b49346a6e55d138589ffb3507a073fd5bc7dbb1f2de3d301bdfa2848
Instruction Fuzzy Hash: AA32DC7160434AEFDB21DF24C880BBABBE5BF49384F140629F69587AA1CB70DC41EB51

Function 000FAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 000FB1CD

Strings

%d/%02d/%02d, xrefs: 000FAEFC

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 08acbb7a539e4d7333a7dbb7ebfcd4046d46513485c62e7ea6dcb314654fd509
Instruction ID: 70e177a3c79b0b907e6923720c3dc7f05e29d6df9b8c7b2660e64316de990a76
Opcode Fuzzy Hash: 08acbb7a539e4d7333a7dbb7ebfcd4046d46513485c62e7ea6dcb314654fd509
Instruction Fuzzy Hash: 0712BDB1600218ABEB258F64DC49FFE7BF8FF4A310F108129FA199A6D1DB748941DB51

Function 000AEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 000AEB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00103AEA
IsIconic.USER32(000000FF), ref: 00103AF3
ShowWindow.USER32(000000FF,00000009), ref: 00103B00
SetForegroundWindow.USER32(000000FF), ref: 00103B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00103B20
GetCurrentThreadId.KERNEL32 ref: 00103B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00103B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00103B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00103B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00103B54
SetForegroundWindow.USER32(000000FF), ref: 00103B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00103B6C
keybd_event.USER32(00000012,00000000), ref: 00103B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00103B81
keybd_event.USER32(00000012,00000000), ref: 00103B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00103B8F
keybd_event.USER32(00000012,00000000), ref: 00103B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00103B9E
keybd_event.USER32(00000012,00000000), ref: 00103BA3
SetForegroundWindow.USER32(000000FF), ref: 00103BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00103BCD

Strings

Shell_TrayWnd, xrefs: 00103AE5

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7c77a370eec8ccbe7f07637a3d7734c043e942ab8891721bac5c5c716d9da1ee
Instruction ID: c47094066fa918bce8f4283c10e567ae0719016aedfc3d8f65ae19c54dbf0c47
Opcode Fuzzy Hash: 7c77a370eec8ccbe7f07637a3d7734c043e942ab8891721bac5c5c716d9da1ee
Instruction Fuzzy Hash: 0231B271A40218BBEB342BA59D4AFBF7E7DEB44B54F118015FA05EA1D0D7B05D40EAA0

Function 000D60DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000D6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000D5FA6,?), ref: 000D6ED8

Part of subcall function 000D6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000D5FA6,?), ref: 000D6EF1

Part of subcall function 000D725E: __wsplitpath.LIBCMT ref: 000D727B
Part of subcall function 000D725E: __wsplitpath.LIBCMT ref: 000D728E

Part of subcall function 000D72CB: GetFileAttributesW.KERNEL32(?,000D6019), ref: 000D72CC

_wcscat.LIBCMT ref: 000D6149
_wcscat.LIBCMT ref: 000D6167
__wsplitpath.LIBCMT ref: 000D618E
FindFirstFileW.KERNEL32(?,?), ref: 000D61A4
_wcscpy.LIBCMT ref: 000D6209
_wcscat.LIBCMT ref: 000D621C
_wcscat.LIBCMT ref: 000D622F
lstrcmpiW.KERNEL32(?,?), ref: 000D625D
DeleteFileW.KERNEL32(?), ref: 000D626E
MoveFileW.KERNEL32(?,?), ref: 000D6289
MoveFileW.KERNEL32(?,?), ref: 000D6298
CopyFileW.KERNEL32(?,?,00000000), ref: 000D62AD
DeleteFileW.KERNEL32(?), ref: 000D62BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 000D62E1
FindClose.KERNEL32(00000000), ref: 000D62FD
FindClose.KERNEL32(00000000), ref: 000D630B

Strings

p1Mw`KNw, xrefs: 000D61BA
\*.*, xrefs: 000D6138, 000D6147, 000D6165

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*$p1Mw`KNw
API String ID: 1917200108-2160596699
Opcode ID: 64289b104f2c52f0f208d772a5b8f8ed55f6fdda996e801daf8146201f6f9345
Instruction ID: 3d6b0e05c8517597e3394f1aa2afd6fecca1e798a23c063bb141951da2c90d45
Opcode Fuzzy Hash: 64289b104f2c52f0f208d772a5b8f8ed55f6fdda996e801daf8146201f6f9345
Instruction Fuzzy Hash: 44512F7280821C6ACB21EB91DC45DEFB7FCAF05300F0941E6E595E2142EF7697898FA4

Function 000E6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0012DC00), ref: 000E6B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 000E6B44
GetClipboardData.USER32(0000000D), ref: 000E6B4C
CloseClipboard.USER32 ref: 000E6B58
GlobalLock.KERNEL32(00000000), ref: 000E6B74
CloseClipboard.USER32 ref: 000E6B7E
GlobalUnlock.KERNEL32(00000000), ref: 000E6B93
IsClipboardFormatAvailable.USER32(00000001), ref: 000E6BA0
GetClipboardData.USER32(00000001), ref: 000E6BA8
GlobalLock.KERNEL32(00000000), ref: 000E6BB5
GlobalUnlock.KERNEL32(00000000), ref: 000E6BE9
CloseClipboard.USER32 ref: 000E6CF6

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: c8effead5a0069552a25c6b3be319ffb17e9620c969611720760fb56e646af9d
Instruction ID: c22eadd15c3224e83dd3364f88e0a0d7edba8baf32f060af289b4f1e77b2a19d
Opcode Fuzzy Hash: c8effead5a0069552a25c6b3be319ffb17e9620c969611720760fb56e646af9d
Instruction Fuzzy Hash: C251DF31200241AFD714AF61EE46FBE73A8AF94B51F004029F656E31D2DF71E845CB62

Function 000DF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000DF62B
FindClose.KERNEL32(00000000), ref: 000DF67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000DF6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000DF6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 000DF6E2
__swprintf.LIBCMT ref: 000DF72E
__swprintf.LIBCMT ref: 000DF767
__swprintf.LIBCMT ref: 000DF7BB

Part of subcall function 000B172B: __woutput_l.LIBCMT ref: 000B1784

__swprintf.LIBCMT ref: 000DF809
__swprintf.LIBCMT ref: 000DF858
__swprintf.LIBCMT ref: 000DF8A7
__swprintf.LIBCMT ref: 000DF8F6

Strings

%4d, xrefs: 000DF761
%02d, xrefs: 000DF7B0, 000DF7B9, 000DF807, 000DF856, 000DF8A5, 000DF8F4
%4d%02d%02d%02d%02d%02d, xrefs: 000DF728

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: bf059df5fb6c1664cac365c87cde9480d0262c4889fba454166e6a888e75a3ec
Instruction ID: 29b0587addc7d8fce9be6f93a1280ee9c850c5c745182dd0a512f7ef3ce42ed9
Opcode Fuzzy Hash: bf059df5fb6c1664cac365c87cde9480d0262c4889fba454166e6a888e75a3ec
Instruction Fuzzy Hash: C7A151B2408344ABD710EBA4C892DEFB7ECAF99700F44482EF595C3152EB34D949DB62

Function 000E1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 000E1B50
_wcscmp.LIBCMT ref: 000E1B65
_wcscmp.LIBCMT ref: 000E1B7C
GetFileAttributesW.KERNEL32(?), ref: 000E1B8E
SetFileAttributesW.KERNEL32(?,?), ref: 000E1BA8
FindNextFileW.KERNEL32(00000000,?), ref: 000E1BC0
FindClose.KERNEL32(00000000), ref: 000E1BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 000E1BE7
_wcscmp.LIBCMT ref: 000E1C0E
_wcscmp.LIBCMT ref: 000E1C25
SetCurrentDirectoryW.KERNEL32(?), ref: 000E1C37
SetCurrentDirectoryW.KERNEL32(001439FC), ref: 000E1C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 000E1C5F
FindClose.KERNEL32(00000000), ref: 000E1C6C
FindClose.KERNEL32(00000000), ref: 000E1C7C

Strings

*.*, xrefs: 000E1BE2

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 65d27d8da032f53a78d3dd6f64e00a705204145b43995cc00ade041cbe744034
Instruction ID: 71745f500bd9d125834ce1cccb45c02e29f4f5fd130ce3eb5c05cdc58de649f8
Opcode Fuzzy Hash: 65d27d8da032f53a78d3dd6f64e00a705204145b43995cc00ade041cbe744034
Instruction Fuzzy Hash: CF31D532540259BFDF24AFB1EC49ADE77ECAF05320F204196E911E3090EB70DB858B64

Function 000FF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

DragQueryPoint.SHELL32(?,?), ref: 000FF37A

Part of subcall function 000FD7DE: ClientToScreen.USER32(?,?), ref: 000FD807
Part of subcall function 000FD7DE: GetWindowRect.USER32(?,?), ref: 000FD87D
Part of subcall function 000FD7DE: PtInRect.USER32(?,?,000FED5A), ref: 000FD88D

SendMessageW.USER32(?,000000B0,?,?), ref: 000FF3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000FF3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000FF411
_wcscat.LIBCMT ref: 000FF441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 000FF458
SendMessageW.USER32(?,000000B0,?,?), ref: 000FF471
SendMessageW.USER32(?,000000B1,?,?), ref: 000FF488
SendMessageW.USER32(?,000000B1,?,?), ref: 000FF4AA
DragFinish.SHELL32(?), ref: 000FF4B1
NtdllDialogWndProc_W.USER32(?,00000233,?,00000000,?,?,?), ref: 000FF59C

Strings

@GUI_DRAGFILE, xrefs: 000FF54B
@GUI_DROPID, xrefs: 000FF4D1
@GUI_DRAGID, xrefs: 000FF510

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: d5f63b97a9936c9be86a0560318f9ca6158313930552644f9b148acecedb10d8
Instruction ID: 3d03bc3e4743b1d5a4ab95bf7930be595c6136398dfbe38c5e5e442ce63cce16
Opcode Fuzzy Hash: d5f63b97a9936c9be86a0560318f9ca6158313930552644f9b148acecedb10d8
Instruction Fuzzy Hash: CE618B71008305AFC701EF60DC85EAFBBF8AF89710F004A1EF695925A2DB709A49DB52

Function 000E1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 000E1CAB
_wcscmp.LIBCMT ref: 000E1CC0
_wcscmp.LIBCMT ref: 000E1CD7

Part of subcall function 000D6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000D6BEF

FindNextFileW.KERNEL32(00000000,?), ref: 000E1D06
FindClose.KERNEL32(00000000), ref: 000E1D11
FindFirstFileW.KERNEL32(*.*,?), ref: 000E1D2D
_wcscmp.LIBCMT ref: 000E1D54
_wcscmp.LIBCMT ref: 000E1D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 000E1D7D
SetCurrentDirectoryW.KERNEL32(001439FC), ref: 000E1D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 000E1DA5
FindClose.KERNEL32(00000000), ref: 000E1DB2
FindClose.KERNEL32(00000000), ref: 000E1DC2

Strings

*.*, xrefs: 000E1D28

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 17e46ddd43b4b8fe687bec87e760abccbbf111032c2b061aaa9cd867e5deb0c2
Instruction ID: 671e49f2b562de72257b1a37bd2d7017bb8ed4c7d87c7cb2598c75a56dd4ad79
Opcode Fuzzy Hash: 17e46ddd43b4b8fe687bec87e760abccbbf111032c2b061aaa9cd867e5deb0c2
Instruction Fuzzy Hash: C731023250465ABECF24ABA1EC09EDE77EDAF45324F204591E811F31A1DB70DB85CB60

Function 000E091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000E09DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 000E09EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000E09FB
__wsplitpath.LIBCMT ref: 000E0A59
_wcscat.LIBCMT ref: 000E0A71
_wcscat.LIBCMT ref: 000E0A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000E0A98
SetCurrentDirectoryW.KERNEL32(?), ref: 000E0AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 000E0ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 000E0AFF
_wcscpy.LIBCMT ref: 000E0B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000E0B4A

Strings

*.*, xrefs: 000E0B05

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 8a4635b49c3f670c7baa36ef095a4ae3a9e8ffe13f13046d9d2ee7c33e817aa5
Instruction ID: a608379c55603634800eb8008b8985c8cc884ccca150c536bd3d48905b92a2d3
Opcode Fuzzy Hash: 8a4635b49c3f670c7baa36ef095a4ae3a9e8ffe13f13046d9d2ee7c33e817aa5
Instruction Fuzzy Hash: 6B6179725043459FCB10EF60C8449EEB3E8FF89310F04892AF999D7252EB71E985CB92

Function 000BB043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac09f5a4a1e3958fdebdfe4ac5ebe6b374cd44cde25dc8461b627b44f11a389
Instruction ID: 0f88fc3f625aae10d702e587dc8f6076bec9d2d58d95d397ecbe46bb5b2e5549
Opcode Fuzzy Hash: 4ac09f5a4a1e3958fdebdfe4ac5ebe6b374cd44cde25dc8461b627b44f11a389
Instruction Fuzzy Hash: 3B325975B022288FDB258F58DC85AE9B7F5FF4A310F5840D9E40AA7A91D7709E80CF52

Function 000FEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000FEF3B
GetFocus.USER32 ref: 000FEF4B
GetDlgCtrlID.USER32(00000000), ref: 000FEF56
_memset.LIBCMT ref: 000FF081
GetMenuItemInfoW.USER32 ref: 000FF0AC
GetMenuItemCount.USER32(00000000), ref: 000FF0CC
GetMenuItemID.USER32(?,00000000), ref: 000FF0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 000FF113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 000FF15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000FF193
NtdllDialogWndProc_W.USER32(?,00000111,?,?,?,?,?,?,?), ref: 000FF1C8

Strings

0, xrefs: 000FF079

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 91420c5176cebed8e4ec34f605f2ed4489e5829b1e8198056d207ad4744f0f21
Instruction ID: 47483bcb3335bfbec044bad96a24d5186f947ba05a47c24f30cf434e88819c08
Opcode Fuzzy Hash: 91420c5176cebed8e4ec34f605f2ed4489e5829b1e8198056d207ad4744f0f21
Instruction Fuzzy Hash: 25819A7050430AAFD720CF14D884ABBBBE9FF88314F00492EFA9897692D770D945DB92

Function 000CA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000CABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000CABD7
Part of subcall function 000CABBB: GetLastError.KERNEL32(?,000CA69F,?,?,?), ref: 000CABE1
Part of subcall function 000CABBB: GetProcessHeap.KERNEL32(00000008,?,?,000CA69F,?,?,?), ref: 000CABF0
Part of subcall function 000CABBB: RtlAllocateHeap.KERNEL32(00000000,?,000CA69F,?,?,?), ref: 000CABF7
Part of subcall function 000CABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000CAC0E

Part of subcall function 000CAC56: GetProcessHeap.KERNEL32(00000008,000CA6B5,00000000,00000000,?,000CA6B5,?), ref: 000CAC62
Part of subcall function 000CAC56: RtlAllocateHeap.KERNEL32(00000000,?,000CA6B5,?), ref: 000CAC69
Part of subcall function 000CAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000CA6B5,?), ref: 000CAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000CA6D0
_memset.LIBCMT ref: 000CA6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000CA704
GetLengthSid.ADVAPI32(?), ref: 000CA715
GetAce.ADVAPI32(?,00000000,?), ref: 000CA752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000CA76E
GetLengthSid.ADVAPI32(?), ref: 000CA78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000CA79A
RtlAllocateHeap.KERNEL32(00000000), ref: 000CA7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000CA7C2
CopySid.ADVAPI32(00000000), ref: 000CA7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000CA7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000CA820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000CA834

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: b0c98285b1d2fa1716d9602a3f94dafc400566e1f2e71895c59b8df8fcb58039
Instruction ID: 1f97902fdd1fe274f2b58c49b5fe41a290ce30d65228372655bfc8b1123c7f0a
Opcode Fuzzy Hash: b0c98285b1d2fa1716d9602a3f94dafc400566e1f2e71895c59b8df8fcb58039
Instruction Fuzzy Hash: A4515B71A0020AABDF04DFA4DD45EEEBBB9FF09304F048129F911A7291DB349A45CB61

Function 000D63F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000D6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000D5FA6,?), ref: 000D6ED8

Part of subcall function 000D72CB: GetFileAttributesW.KERNEL32(?,000D6019), ref: 000D72CC

_wcscat.LIBCMT ref: 000D6441
__wsplitpath.LIBCMT ref: 000D645F
FindFirstFileW.KERNEL32(?,?), ref: 000D6474
_wcscpy.LIBCMT ref: 000D64A3
_wcscat.LIBCMT ref: 000D64B8
_wcscat.LIBCMT ref: 000D64CA
DeleteFileW.KERNEL32(?), ref: 000D64DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 000D64EB
FindClose.KERNEL32(00000000), ref: 000D6506

Strings

p1Mw`KNw, xrefs: 000D64DA
\*.*, xrefs: 000D643B

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*$p1Mw`KNw
API String ID: 2643075503-2160596699
Opcode ID: 53dd5ad05e66466559e6636fd363721b849e71abf2a0e54415e96177f4acc5c7
Instruction ID: bdb1aa437e058c5cb4f683f63cff55d64e64ea26c49f7219b59a9efa36ac756a
Opcode Fuzzy Hash: 53dd5ad05e66466559e6636fd363721b849e71abf2a0e54415e96177f4acc5c7
Instruction Fuzzy Hash: 4C3181B2408384AAC721DBA488859DFB7DCAF55310F44492BF5D9C3242EB36D54D87B7

Function 00096F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

BSR_UNICODE), xrefs: 00112EBA
ANYCRLF), xrefs: 00112E7D
CRLF), xrefs: 00112E43
NO_AUTO_POSSESS), xrefs: 00112CB0
ANY), xrefs: 00112E60
BSR_ANYCRLF), xrefs: 00112EA0
UTF), xrefs: 00112C7C
CR), xrefs: 00112E09
UCP), xrefs: 00112C8F
LIMIT_RECURSION=, xrefs: 00112D7E
LIMIT_MATCH=, xrefs: 00112CF2
UTF16), xrefs: 00112C56
LF), xrefs: 00112E26
NO_START_OPT), xrefs: 00112CD1

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 3e6c5a48b7c69c9bb711c80a170d3df3caa74431fb72a4dd0354429dce266605
Instruction ID: bda80320b1c05c66e4f2e8bc2b4d0d59bf9edeab7fc82d26c4ea66fc07eaee7a
Opcode Fuzzy Hash: 3e6c5a48b7c69c9bb711c80a170d3df3caa74431fb72a4dd0354429dce266605
Instruction Fuzzy Hash: 22726271E14219DBDF28CF58D8407EEB7B5BF48310F14816AE919EB285EB709E81DB90

Function 000F31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000F2BB5,?,?), ref: 000F3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000F328E

Part of subcall function 0009936C: __swprintf.LIBCMT ref: 000993AB
Part of subcall function 0009936C: __itow.LIBCMT ref: 000993DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 000F332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000F33C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 000F3604
RegCloseKey.ADVAPI32(00000000), ref: 000F3611

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 6654f5fa62c8423a93d94653e807d9cdefb80f989229542644f1d27cd7ff3f88
Instruction ID: 9e99585acaf42f27be0340bd022de622300cdcddbba727041d77b19d7492952f
Opcode Fuzzy Hash: 6654f5fa62c8423a93d94653e807d9cdefb80f989229542644f1d27cd7ff3f88
Instruction Fuzzy Hash: 55E16C31604204AFCB14DF68C991E6EBBE8EF89720F04846DF54AD7262DB31EE05DB51

Function 000D2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000D2B5F
GetAsyncKeyState.USER32(000000A0), ref: 000D2BE0
GetKeyState.USER32(000000A0), ref: 000D2BFB
GetAsyncKeyState.USER32(000000A1), ref: 000D2C15
GetKeyState.USER32(000000A1), ref: 000D2C2A
GetAsyncKeyState.USER32(00000011), ref: 000D2C42
GetKeyState.USER32(00000011), ref: 000D2C54
GetAsyncKeyState.USER32(00000012), ref: 000D2C6C
GetKeyState.USER32(00000012), ref: 000D2C7E
GetAsyncKeyState.USER32(0000005B), ref: 000D2C96
GetKeyState.USER32(0000005B), ref: 000D2CA8

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f5810ffe4d0607808d5f81cbceed8d68c39f4af76acdf005add13de628b33bfe
Instruction ID: ab826d59287889165032eddfe7934b6303c87ec1442a29bd5b59511f831a835c
Opcode Fuzzy Hash: f5810ffe4d0607808d5f81cbceed8d68c39f4af76acdf005add13de628b33bfe
Instruction Fuzzy Hash: 0C41D330514BC96DFFB59B6089043AABEE16B31314F04909BD5C6567C2DBE49DC8C7B2

Function 000E6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000E6D2E
EmptyClipboard.USER32 ref: 000E6D34
GlobalAlloc.KERNEL32(00000002,?), ref: 000E6D49
CloseClipboard.USER32 ref: 000E6DE8

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d205175d7a3094a539cc45899c07ab4d42652d3be6eebcde3cd74f8ea2002dc8
Instruction ID: bf1a5b931de350f434e750340d55023b17151ca74c7fd1840b3603f5ba9ab22e
Opcode Fuzzy Hash: d205175d7a3094a539cc45899c07ab4d42652d3be6eebcde3cd74f8ea2002dc8
Instruction Fuzzy Hash: 2721BF31700210AFDB15AF65ED49BAD77A8EF14761F00C01AF90ADB2A1DB31E840CB51

Function 000FECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

Part of subcall function 000AB63C: GetCursorPos.USER32(000000FF), ref: 000AB64F
Part of subcall function 000AB63C: ScreenToClient.USER32(00000000,000000FF), ref: 000AB66C
Part of subcall function 000AB63C: GetAsyncKeyState.USER32(00000001), ref: 000AB691
Part of subcall function 000AB63C: GetAsyncKeyState.USER32(00000002), ref: 000AB69F

6FCFC580.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 000FED3C
6FCFC6F0.COMCTL32 ref: 000FED42
ReleaseCapture.USER32 ref: 000FED48
SetWindowTextW.USER32(?,00000000), ref: 000FEDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 000FEE03
NtdllDialogWndProc_W.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 000FEEDC

Strings

@GUI_DRAGFILE, xrefs: 000FEE77
@GUI_DROPID, xrefs: 000FEE33

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AsyncStateWindow$C580CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 351792193-2107944366
Opcode ID: 60857c25b79c6fcf0f7f2d46351cb3af9dfafcf906d6eee24b9ec129d20f7413
Instruction ID: 48cc34fb40ff7adf37b38e0027067d4959412c4c123da326e57ddd81d8a49c87
Opcode Fuzzy Hash: 60857c25b79c6fcf0f7f2d46351cb3af9dfafcf906d6eee24b9ec129d20f7413
Instruction Fuzzy Hash: 1851CC70204304AFD714EF24EC96FAA77E5FB88314F00491DFA959B6E2DBB09948DB52

Function 000EC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 000C9ABF: CLSIDFromProgID.OLE32 ref: 000C9ADC
Part of subcall function 000C9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 000C9AF7
Part of subcall function 000C9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 000C9B05
Part of subcall function 000C9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 000C9B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 000EC235
_memset.LIBCMT ref: 000EC242
_memset.LIBCMT ref: 000EC360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 000EC38C
CoTaskMemFree.OLE32(?), ref: 000EC397

Strings

NULL Pointer assignment, xrefs: 000EC3E5

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 4de4df148266369713011db941b1ba7d43f3f7e90634cb3b69448521c1907222
Instruction ID: ac6399708f8e10efe8ddaf0d27e27837b838f82ae4b97b9f6d2f78b3612a5bf7
Opcode Fuzzy Hash: 4de4df148266369713011db941b1ba7d43f3f7e90634cb3b69448521c1907222
Instruction Fuzzy Hash: 1B912971D00218AFDB10DFA5DC91EDEBBB9AF08710F10816AF515B7292EB719A45CFA0

Function 000E1F94 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 000E1FE1
Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 000E2011
_wcscmp.LIBCMT ref: 000E2025
_wcscmp.LIBCMT ref: 000E2040
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 000E20DE
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 000E20F4

Strings

*.*, xrefs: 000E1FC3

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep
String ID: *.*
API String ID: 3356411064-438819550
Opcode ID: 76abffbadc39db1effd66bba115119bfd413397959c7ce16e8f8fc320a8b4279
Instruction ID: fecf6bd87485a46dbc5b6499d1e963cc3ef9bdfce95bfa82ec8690fa35c009e3
Opcode Fuzzy Hash: 76abffbadc39db1effd66bba115119bfd413397959c7ce16e8f8fc320a8b4279
Instruction Fuzzy Hash: C041CC7190029AAFDF65DFA5CC49BEEBBB8FF05314F104456E815B3192EB709A84CB90

Function 00100133 Relevance: 10.7, APIs: 7, Instructions: 245windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

GetSystemMetrics.USER32(0000000F), ref: 0010016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0010038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 001003AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 001003D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 001003FF
ShowWindow.USER32(00000003,00000000), ref: 00100421
NtdllDialogWndProc_W.USER32(?,00000005,?,?), ref: 00100440

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$MessageSend$DialogInvalidateLongMetricsMoveNtdllProc_RectShowSystem
String ID:
API String ID: 2922825909-0
Opcode ID: e44ee4ee2768e230d19da15a6cdb0f6927674e411b339733ba0748ee62486abe
Instruction ID: 554a0f424991c773433bdf75e3a9cd8bb13288a4a701aaea66ff9f3fe624c32e
Opcode Fuzzy Hash: e44ee4ee2768e230d19da15a6cdb0f6927674e411b339733ba0748ee62486abe
Instruction Fuzzy Hash: 3FA1C035600616EFDB1ACF68C9857FDBBB1BF08741F058115ED94AB290D7B4AD90CB90

Function 000D79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 000CB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000CB180
Part of subcall function 000CB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000CB1AD
Part of subcall function 000CB134: GetLastError.KERNEL32 ref: 000CB1BA

ExitWindowsEx.USER32(?,00000000), ref: 000D7A0F

Strings

, xrefs: 000D79FD
SeShutdownPrivilege, xrefs: 000D79DD
@, xrefs: 000D7A02

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 5e45f28dedbd416f73c4299678c6bd17e249a17d4aa9ead126f24041cad1e893
Instruction ID: db9ff44b4963eb60582d27c74c64a7365fa3e0e9838d60e67147cd21c6e7b7c2
Opcode Fuzzy Hash: 5e45f28dedbd416f73c4299678c6bd17e249a17d4aa9ead126f24041cad1e893
Instruction Fuzzy Hash: 0A01D4716583216AE76826AC9C5ABFE73989B40344F144526FD1BA22D2F6A05E0081B2

Function 000E8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000E8CA8
WSAGetLastError.WSOCK32(00000000), ref: 000E8CB7
bind.WSOCK32(00000000,?,00000010), ref: 000E8CD3
listen.WSOCK32(00000000,00000005), ref: 000E8CE2
WSAGetLastError.WSOCK32(00000000), ref: 000E8CFC
closesocket.WSOCK32(00000000,00000000), ref: 000E8D10

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 446eb58ca270ba78b192304fa4522838d9d7fd6f6da6d262bedb4aaef360df36
Instruction ID: 9ebfec1e37eb4f541c7fd855347d478e95c7dd48eb3076405fbabe51040972cd
Opcode Fuzzy Hash: 446eb58ca270ba78b192304fa4522838d9d7fd6f6da6d262bedb4aaef360df36
Instruction Fuzzy Hash: 4321A031600201AFCB14AF68DD45BAEB7E9EF49324F148159F91AA73E2CB30AD41DB61

Function 000CAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000CAFAE
OpenProcessToken.ADVAPI32(00000000), ref: 000CAFB5
743B7ED0.USERENV(?,00000004,00000001), ref: 000CAFC4
CloseHandle.KERNEL32(00000004), ref: 000CAFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000CAFFE
743B7F30.USERENV(00000000), ref: 000CB012

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 74380b0a7fc8e008de6b68295f54708d6c865b3278a665183ee7f8b473562978
Instruction ID: 78410836f85eea3a4bbea8a54f7289f2122c6325e13e04cab699604e73de5df7
Opcode Fuzzy Hash: 74380b0a7fc8e008de6b68295f54708d6c865b3278a665183ee7f8b473562978
Instruction Fuzzy Hash: E821507220420DAFDF128FA4ED49FDE7BA9EF45308F148029F901A2161C3759D51DB61

Function 000D6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 000D6554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 000D6564
Process32NextW.KERNEL32(00000000,0000022C), ref: 000D6583
__wsplitpath.LIBCMT ref: 000D65A7
_wcscat.LIBCMT ref: 000D65BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 000D65F9

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 990fed770fa8348830cce125aa24fb5e64dddd9266346b90418474fcc5e2eb3b
Instruction ID: 23cfa5de6254600dbeb55a11e7d217c8d4b37eef16b413ecc546f914c61fbf60
Opcode Fuzzy Hash: 990fed770fa8348830cce125aa24fb5e64dddd9266346b90418474fcc5e2eb3b
Instruction Fuzzy Hash: 47215371900319ABDB21ABA4DD88BEEBBFCAB44300F5044E6E505D7245E7719FC5CB60

Function 000E923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000EA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000EA84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 000E9296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 000E92B9

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 383cc8a2c77f748864906050bc56d0e5aeba86c0f1cd2d594d14e7869ca2a798
Instruction ID: 63db1efb340a2ab987afd7bea5a5775e9fcc2298f353fdc4ca0a154c229f3a42
Opcode Fuzzy Hash: 383cc8a2c77f748864906050bc56d0e5aeba86c0f1cd2d594d14e7869ca2a798
Instruction Fuzzy Hash: 1341BF70600200AFDB14ABA8C842EBE77EDEF44724F04845CF956AB2D3DB759E418BA1

Function 000DEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000DEB8A
_wcscmp.LIBCMT ref: 000DEBBA
_wcscmp.LIBCMT ref: 000DEBCF
FindNextFileW.KERNEL32(00000000,?), ref: 000DEBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 000DEC0E

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 972e5a4c4107f9dd73ad1158bf42955fb93cdfdc4d9972d67e30f3bcf7ce5ca7
Instruction ID: 4d5bc4711c84dc9316d2ba2e637489192fc4f00bb9a8d84860e3a653f5d3622e
Opcode Fuzzy Hash: 972e5a4c4107f9dd73ad1158bf42955fb93cdfdc4d9972d67e30f3bcf7ce5ca7
Instruction Fuzzy Hash: D341B035604702DFC718EF68C491AEAB3E4FF49324F10455EE95A8B3A2DB31B945CBA1

Function 000F8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 000F8160
IsWindowEnabled.USER32 ref: 000F816E
GetForegroundWindow.USER32(?,?,00000001), ref: 000F817B
IsIconic.USER32 ref: 000F8189
IsZoomed.USER32 ref: 000F8197

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 3ca0e5de0cdb89734131aafc6319bc830365f41822a7044b827c408db26b8f1a
Instruction ID: e7f4a878a33248b6d68a64bf755f421a02dade7d0eb013cdaf597086aada6425
Opcode Fuzzy Hash: 3ca0e5de0cdb89734131aafc6319bc830365f41822a7044b827c408db26b8f1a
Instruction Fuzzy Hash: BC11B2313002196BEB252F26DC44EFF7B9DFF44760B048529F949D7642DF34994297A0

Function 00099B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00099EA7
ERCP, xrefs: 00099C32
VUUU, xrefs: 0011BE14
VUUU, xrefs: 00099ED4
VUUU, xrefs: 00099E95

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: c125cee1b00820563dcce059d601f9988e18920ed9fb9ecf0f6a536fb7191191
Instruction ID: 1bdb6ff56b08f22b0bc92553aa45123411edb202b57f2e2fca4c52586a1c621b
Opcode Fuzzy Hash: c125cee1b00820563dcce059d601f9988e18920ed9fb9ecf0f6a536fb7191191
Instruction Fuzzy Hash: FC926B75E0421ACBDF28CF58C8907EDB7B1BB55314F2581AAE816AB280D7709DC1EF91

Function 000AE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000AE014,774D0AE0,000ADEF1,0012DC38,?,?), ref: 000AE02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000AE03E

Strings

GetNativeSystemInfo, xrefs: 000AE038
kernel32.dll, xrefs: 000AE027

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: d85a917717770c028539148fd81b455fda4c677a7135e963c92c1571ad899548
Instruction ID: 0caeaa299bc1ce00a0ede8aaa5e563764b86c1b05175fea84655f4a75541bdc8
Opcode Fuzzy Hash: d85a917717770c028539148fd81b455fda4c677a7135e963c92c1571ad899548
Instruction Fuzzy Hash: 0CD0A770400722AFC7354FA0FD08A527AD4AB01300F188419F481E25A0E7B4C8C08650

Function 000FF1D7 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

GetCursorPos.USER32(?), ref: 000FF211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0010E4C0,?,?,?,?,?), ref: 000FF226
GetCursorPos.USER32(?), ref: 000FF270
NtdllDialogWndProc_W.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0010E4C0,?,?,?), ref: 000FF2A6

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 734298b3bc1b529e125e3a2647ac1c86fe2a0c1b5a5417865b905f499b23d3cd
Instruction ID: 3863e5157692d8cb660e2d415c68065512f66a731acfc84916720a28e3c4aef4
Opcode Fuzzy Hash: 734298b3bc1b529e125e3a2647ac1c86fe2a0c1b5a5417865b905f499b23d3cd
Instruction Fuzzy Hash: E1218039500118FFDBA68F94D858EFE7BB6EF09711F048069FA054B6A2D3B09991EB50

Function 000AB55D Relevance: 6.1, APIs: 4, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

NtdllDialogWndProc_W.USER32(?,00000020,?,00000000), ref: 000AB5A5
GetClientRect.USER32(?,?), ref: 0010E69A
GetCursorPos.USER32(?), ref: 0010E6A4
ScreenToClient.USER32(?,?), ref: 0010E6AF

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: 81d3574c74199846dcdf84be10f00a0cb4f04c6c0960fc80e24c79b121cd7b02
Instruction ID: 43d714e32eaca0e7e96fe97b4fc7dd0202a5262cc736e56a150212ec959bf4bf
Opcode Fuzzy Hash: 81d3574c74199846dcdf84be10f00a0cb4f04c6c0960fc80e24c79b121cd7b02
Instruction Fuzzy Hash: 85115A71900129FFCB14DFA4ED45AEE7BB9EF09305F004455F952E7142D370AA81DBA1

Function 000D13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 000D13DC

Strings

(, xrefs: 000D1422
|, xrefs: 000D140C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: c76824e2d8da5718ec4d5bc12e32827094601bbd7f83d93a6a08ed35284b7481
Instruction ID: e3e1a9bac5b45c777c3c0689211909d7310d5f15a4f1166d2423d87f56fba1b2
Opcode Fuzzy Hash: c76824e2d8da5718ec4d5bc12e32827094601bbd7f83d93a6a08ed35284b7481
Instruction Fuzzy Hash: F8322575A00705AFC728CF69D490AAAB7F0FF48310B11C56EE49ADB3A2DB70E941CB54

Function 000AB11F Relevance: 4.9, APIs: 3, Instructions: 377nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

NtdllDialogWndProc_W.USER32(?,?,?,?,?), ref: 000AB22F

Part of subcall function 000AB55D: NtdllDialogWndProc_W.USER32(?,00000020,?,00000000), ref: 000AB5A5

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: DialogNtdllProc_$LongWindow
String ID:
API String ID: 1155049231-0
Opcode ID: c0de9cadc425a7020f3674a9c59caf481388d95f7398d3bdc218e0ca112b1689
Instruction ID: 960c1c4b29b8249224a580f9a934388370c392fd26470aade785fed2662eeb2b
Opcode Fuzzy Hash: c0de9cadc425a7020f3674a9c59caf481388d95f7398d3bdc218e0ca112b1689
Instruction Fuzzy Hash: E0A16570114109BADB386EAA5C88FBF39ECEB47340B54491AF982DA5D3CB649D00E372

Function 000E4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000E43BF,00000000), ref: 000E4FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 000E4FD2

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 4f3f05389f60cfd081925ef6c63eb41460aaed7e44b68da3d0dbab548d144d6b
Instruction ID: 04658c4814c7e6bedba7986594b08bf27b60d8811265d441e6be7dffe26b3196
Opcode Fuzzy Hash: 4f3f05389f60cfd081925ef6c63eb41460aaed7e44b68da3d0dbab548d144d6b
Instruction Fuzzy Hash: 64410771A04649BFEB20CE92DC85EFFB7FCEB40719F10406EF205B6181EA719E4196A0

Function 000DE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000DE20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000DE267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 000DE2B4

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 1d4ae5467214240408034908e503ace1c78f0ac050d787ef74ec4c5fe0f2d732
Instruction ID: 0f063103fc7ed639541090712e74099b4a29364b93e80132870c5fc6768a3731
Opcode Fuzzy Hash: 1d4ae5467214240408034908e503ace1c78f0ac050d787ef74ec4c5fe0f2d732
Instruction Fuzzy Hash: CE213035A00218EFDB04EFA5D985EEDBBB8FF49314F0484AAE905AB352DB319945CB50

Function 000CB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 000AF4EA: std::exception::exception.LIBCMT ref: 000AF51E
Part of subcall function 000AF4EA: __CxxThrowException@8.LIBCMT ref: 000AF533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000CB180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000CB1AD
GetLastError.KERNEL32 ref: 000CB1BA

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 99595f5d373478438a270f12105b85010179a90e18c6432fe83a4f12f9ee35d1
Instruction ID: 5ef08895da1788922d42e3486fce76e5205af523a86934a89ca3741033938ea4
Opcode Fuzzy Hash: 99595f5d373478438a270f12105b85010179a90e18c6432fe83a4f12f9ee35d1
Instruction Fuzzy Hash: 4E11BFB1504305AFE7189FA4EC86DABB7BCFB44310B20852EF45693241DB70FC418A60

Function 000D6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000D6623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 000D6664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000D666F

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 2a1bcfd69aa7be060b444355ce86449861de2869b6adb9fbb21d5adfb47901cf
Instruction ID: e078ab8302198e90222881796d3ba440236353f7c1b6050e1afa03ec517fa551
Opcode Fuzzy Hash: 2a1bcfd69aa7be060b444355ce86449861de2869b6adb9fbb21d5adfb47901cf
Instruction Fuzzy Hash: 99115271E01228BFDB148F95DC44BEE7BFCEB45B10F108152F910E7290D7B15A018BA1

Function 000D71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000D7223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000D723A
FreeSid.ADVAPI32(?), ref: 000D724A

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d64ff84868385b41623b1a201d83b7eacb82e8750ce9b199dc4778bc6223a240
Instruction ID: 3c6196c556c13e36ad30497c5b49673cc574fad33f2de893cdafd4b9d9f33783
Opcode Fuzzy Hash: d64ff84868385b41623b1a201d83b7eacb82e8750ce9b199dc4778bc6223a240
Instruction Fuzzy Hash: 54F01275904309BFDF04DFE4DD89AEDBBB9EF08301F108469B502E2591E27457448B10

Function 000FF689 Relevance: 4.5, APIs: 3, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 000FF6AC
6FCFC5D0.COMCTL32(?,?,?,0010E52B,?,?,?,?,?), ref: 000FF6B8
NtdllDialogWndProc_W.USER32(?,00000200,?,?,?,?,?,?,?,0010E52B,?,?,?,?,?), ref: 000FF6D5

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 391019ed4bf6f314f65e3a899503016889d5b10d5a14d2101baca9aab8773add
Instruction ID: f4e1f6ad5895594188ac61e6fcb0d0f7e39508ab02aef78854c78bf9374d78dc
Opcode Fuzzy Hash: 391019ed4bf6f314f65e3a899503016889d5b10d5a14d2101baca9aab8773add
Instruction Fuzzy Hash: A7F03A72400218FFEF098F85ED09AFE7FB9EF44311F14401AFA01A2560D7B1AA91EB60

Function 000D6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00102F49), ref: 000D6CB9
FindFirstFileW.KERNEL32(?,?), ref: 000D6CCA
FindClose.KERNEL32(00000000), ref: 000D6CDA

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: f2ff604ad768a91cdcd1f9b0108ca17566f6d01e20cea20512571d0860d4d6f6
Instruction ID: 76ee59527fa0a8774269ff326b9ba5d213cc8102074ab4766f227f81db3259bc
Opcode Fuzzy Hash: f2ff604ad768a91cdcd1f9b0108ca17566f6d01e20cea20512571d0860d4d6f6
Instruction Fuzzy Hash: 59E0D8318205106782246738FD0D4F937ACDB15339F104756F471C12D0E771D94445E6

Function 000AB385 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

Part of subcall function 000AB526: GetWindowLongW.USER32(?,000000EB), ref: 000AB537

GetParent.USER32(?), ref: 0010E5B2
NtdllDialogWndProc_W.USER32(?,00000133,?,?,?,?,?,?,?,?,000AB1E8,?,?,?,00000006,?), ref: 0010E62C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: b879e67d467b6781cbd311b1b0f4a6600451141695a17a6f7910fb2614e995bc
Instruction ID: 7a8afc389483b1987bb80108b39929cf8c44bcc3fa27177920b334d737580b01
Opcode Fuzzy Hash: b879e67d467b6781cbd311b1b0f4a6600451141695a17a6f7910fb2614e995bc
Instruction Fuzzy Hash: E021DD35600104BFCF258BA89C84AE93BE6AF0B328F084656F5294B2E3C7709E41DB00

Function 000DF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000DF599
FindClose.KERNEL32(00000000), ref: 000DF5C9

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6a7aba189dd696561c9d72753e62ac8741ea9278c613834cf41c76190c519b2
Instruction ID: 4c5a7d9ca280cdecba24c1d36db12e0a3f45498d1fe3ce0415fb2e337dad6949
Opcode Fuzzy Hash: c6a7aba189dd696561c9d72753e62ac8741ea9278c613834cf41c76190c519b2
Instruction Fuzzy Hash: 1D11C4316006019FDB14EF28D845AAEB3E9FF95324F00C96EF9A6D7391DB30AD048B91

Function 000FF2D0 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

NtdllDialogWndProc_W.USER32(?,0000002B,?,?,?,?,?,?,?,0010E44F,?,?,?), ref: 000FF344

Part of subcall function 000AB526: GetWindowLongW.USER32(?,000000EB), ref: 000AB537

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 000FF32A

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 0965554efc54df535d8b752a8060420556aaeed3a5a989e09e3431ee6eee7310
Instruction ID: 130aeab2582d5160d6e7b709fe805ecc4be5ab5eaee00f43f4f210815d114bba
Opcode Fuzzy Hash: 0965554efc54df535d8b752a8060420556aaeed3a5a989e09e3431ee6eee7310
Instruction Fuzzy Hash: 8501B131200218EBCB269F14EC44FBA7BA7FF85325F184565FA151B6E1C771A942EB50

Function 000DCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,000EBE6A,?,?,00000000,?), ref: 000DCEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,000EBE6A,?,?,00000000,?), ref: 000DCEB9

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c732358c9c0c213a9949ba95ee2a53fc4ace90a2f29ed740d2628d1fbf8d4837
Instruction ID: 367e55aace6853ec88cc3bc6f949b367bcdc581c150f8dbb73ec9765daf1957e
Opcode Fuzzy Hash: c732358c9c0c213a9949ba95ee2a53fc4ace90a2f29ed740d2628d1fbf8d4837
Instruction Fuzzy Hash: 62F0827550032AABEB209BA4DC49FEA776DBF08351F008166F915D6181D7309A40CBA0

Function 000D411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 000D4153
keybd_event.USER32(?,7707C0D0,?,00000000), ref: 000D4166

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d48b3343c9bdd5165fa9e6b0a3653e6229e8bedac601415aa8cbffce51817940
Instruction ID: 2b72e99a61dbffb6bc34e3e8cf9c233a1294436c7c77ad26ba55052c9dd5dcd6
Opcode Fuzzy Hash: d48b3343c9bdd5165fa9e6b0a3653e6229e8bedac601415aa8cbffce51817940
Instruction Fuzzy Hash: 60F0677480034DAFDB059FA0C805BFE7FB0EF00305F00800AF966A6292D77986529FA0

Function 000CAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000CACC0), ref: 000CAB99
CloseHandle.KERNEL32(?,?,000CACC0), ref: 000CABAB

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b83272a69c9690f7241a0617f842c921e8d9a0f15219536826a886c32f17923d
Instruction ID: d467fdd2375c7b56cfdee1e0455e3c4b842a10999852962dab56257e0e5c0499
Opcode Fuzzy Hash: b83272a69c9690f7241a0617f842c921e8d9a0f15219536826a886c32f17923d
Instruction Fuzzy Hash: 80E08671000611AFE7252FA5FC08DB7B7E9EF04320710C42DF55980831CB225CD0DB50

Function 000FF7C3 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 000FF7CB
NtdllDialogWndProc_W.USER32(?,00000084,00000000,?,?,0010E4AA,?,?,?,?), ref: 000FF7F5

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: e7b0abea01c15e03671c4579ede48be6d6f090510aff7d10b24d55e41a07ac37
Instruction ID: 15fb2f5faa44a71529e0fd50d31629ddc6cf002d5b333780dfdae61c9c519fe5
Opcode Fuzzy Hash: e7b0abea01c15e03671c4579ede48be6d6f090510aff7d10b24d55e41a07ac37
Instruction Fuzzy Hash: DFE0CD30108319BBEB181F09EC0AFBD3F59EF00750F108115F957988E0D7B094D0E260

Function 000B81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,000B6DB3,-0000031A,?,?,00000001), ref: 000B81B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 000B81BA

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3e999f2ace5d74ef7e5fecd702b6abd0b5c4c7990f5a71225f024b86a1eed04f
Instruction ID: 45c816c90220577f48b4f2ac9c5c5d9a3e8a7c33f73b3867191c33837963bd55
Opcode Fuzzy Hash: 3e999f2ace5d74ef7e5fecd702b6abd0b5c4c7990f5a71225f024b86a1eed04f
Instruction Fuzzy Hash: F5B092B1054A08ABDB042BA1FD0AB98BF68FB08652F008010F62D44861CB7254908A92

Function 000977B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00097921

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: bd7a5aa4022aa943fc5a4a5a6a36665dbb0f7bfae6271c2c15b5ac935ca57483
Instruction ID: 0a2358c2ea0ebbe94afd0c518fa0e9c2ea48e3ca7ba331f13c4616e04c8ca853
Opcode Fuzzy Hash: bd7a5aa4022aa943fc5a4a5a6a36665dbb0f7bfae6271c2c15b5ac935ca57483
Instruction Fuzzy Hash: AFA24875E14219DFCF28CF58C8806ADBBB1BF49310F2581A9E859AB391D7709E81DB90

Function 000BD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b27508c81fc0ec18b571b5bb2e995a97eff2b332e606ecc200ebfe8cdc30711
Instruction ID: 72a2d22eff874d89c25513443c238eac066d0b8e2f46fa86e7c9570a69b0dbe8
Opcode Fuzzy Hash: 8b27508c81fc0ec18b571b5bb2e995a97eff2b332e606ecc200ebfe8cdc30711
Instruction Fuzzy Hash: 5A320222D29F415DD7239634D92237AA288AFB73D4F15D737E819B5EAAEB38C4C34100

Function 000996C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 6980cf3e5242c3718583bd2efda66d048a1a2e4bc7d053b6ce7ecd4dcacf8fd1
Instruction ID: dff83102c0b21dfafc49b4a73d9a8985d646964d8b8bd2dbab16736e23be80d3
Opcode Fuzzy Hash: 6980cf3e5242c3718583bd2efda66d048a1a2e4bc7d053b6ce7ecd4dcacf8fd1
Instruction Fuzzy Hash: 98229B716083019FDB24DF58C891BAFB7E5EF84310F104A2DF89A97292DB71E944DB82

Function 000C038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908a2a09afa6ecb2b8a905f8cbfd0861fe3daf4013e9172fba262e022f4286af
Instruction ID: d165907c5cb2bb53c70f08305614367596fb3fd0305ba4e43024489aa060ec81
Opcode Fuzzy Hash: 908a2a09afa6ecb2b8a905f8cbfd0861fe3daf4013e9172fba262e022f4286af
Instruction Fuzzy Hash: D2B1FF20D2AF415DD72396398C71336B65CAFBB2D5B91D71BFC2A74D22EB2181D34184

Function 000DB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 000DB6DF

Part of subcall function 000B344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,000DBDC3,00000000,?,?,?,?,000DBF70,00000000,?), ref: 000B3453
Part of subcall function 000B344A: __aulldiv.LIBCMT ref: 000B3473

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 20a9258bfb404e4c95e90c9514fddd48b06645e2eda58b7e2e0528333c3de031
Instruction ID: 5441f3e1e12a4f2d75463fff02903aab040b9abab371c65de1f080d1efc7de55
Opcode Fuzzy Hash: 20a9258bfb404e4c95e90c9514fddd48b06645e2eda58b7e2e0528333c3de031
Instruction Fuzzy Hash: 9221A276634610CBC729CF28C481A92B7E1EB95311B248E6DE4E5CF2C0CB78B945DB54

Function 0010044C Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

NtdllDialogWndProc_W.USER32(?,00000112,?,?), ref: 001004F4

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 376c99edee1d53202aab2d9b1cc337a4c173e289bb888048a7d1b5617f0ad24a
Instruction ID: 26f7e48bcdac6c0373caf6471b422c471f2a35b242f7cc18b6beb5458935dc21
Opcode Fuzzy Hash: 376c99edee1d53202aab2d9b1cc337a4c173e289bb888048a7d1b5617f0ad24a
Instruction Fuzzy Hash: 27110671204219BAFB2A5A28CD09FF93B14DB49B20F248315FB62DE9D3CBF45D41A359

Function 001000AF Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB526: GetWindowLongW.USER32(?,000000EB), ref: 000AB537

NtdllDialogWndProc_W.USER32(?,00000115,?,?,?,?,?,?,0010E467,?,?,?,?,00000000,?), ref: 00100127

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 5058cd3626beadcfd6504aaa936cf6d021ee7310f4321fa03f75c0d3dffe1038
Instruction ID: a58070bb2af1cce6822be9a8ab2714bdca2e4fbd954cf38cf7aeef0c690163e4
Opcode Fuzzy Hash: 5058cd3626beadcfd6504aaa936cf6d021ee7310f4321fa03f75c0d3dffe1038
Instruction Fuzzy Hash: 2201F771A00158ABDF169F24DC4ABF93BA2EF89361F044125FA991B1D2C3F1EC60D7A0

Function 000FE9AF Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 000AB526: GetWindowLongW.USER32(?,000000EB), ref: 000AB537

CallWindowProcW.USER32(?,?,00000020,?,?), ref: 000FE9F5

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$CallLongProc
String ID:
API String ID: 4084987330-0
Opcode ID: 667b289ed4ba33938f48f829f4f1d5c930d21e03f5bfdb698dda53db81e6f08e
Instruction ID: 1708ce724914b09a4184b4686498c38e47631defe3e59368a40f30b5a6405665
Opcode Fuzzy Hash: 667b289ed4ba33938f48f829f4f1d5c930d21e03f5bfdb698dda53db81e6f08e
Instruction Fuzzy Hash: A8F03C3110414CEFCB559F94ED00DB93BA6EB08321B048114FE159BAB2C772A8A0EBA0

Function 000FEC7C Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

Part of subcall function 000AB63C: GetCursorPos.USER32(000000FF), ref: 000AB64F
Part of subcall function 000AB63C: ScreenToClient.USER32(00000000,000000FF), ref: 000AB66C
Part of subcall function 000AB63C: GetAsyncKeyState.USER32(00000001), ref: 000AB691
Part of subcall function 000AB63C: GetAsyncKeyState.USER32(00000002), ref: 000AB69F

NtdllDialogWndProc_W.USER32(?,00000204,?,?,00000001,?,?,?,0010E514,?,?,?,?,?,00000001,?), ref: 000FECCA

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 6dbfb3e4a38c9ba46d120137b1732ed7f361c594d4f96e5a417c4702125af339
Instruction ID: 119e37704f99851c838ff0d5d49324dbf527596cdc8f29f605b5de6770f4c7c2
Opcode Fuzzy Hash: 6dbfb3e4a38c9ba46d120137b1732ed7f361c594d4f96e5a417c4702125af339
Instruction Fuzzy Hash: BAF0A731200228FBDF155F09DC06EFE3BA5EB01751F004015F9151E6A2C7B599A1EBD0

Function 000AAAFC Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

NtdllDialogWndProc_W.USER32(?,00000006,?,?,?), ref: 000AAB45

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: b37afd949c2569a5a8638834aad8ad5c983a5a45f7890e91ef96a37bbd1f42b3
Instruction ID: e3e173b8040e47c64d65169deb15904f6a88c56015c3a36db5710c0c299186a7
Opcode Fuzzy Hash: b37afd949c2569a5a8638834aad8ad5c983a5a45f7890e91ef96a37bbd1f42b3
Instruction Fuzzy Hash: 9DF08C30600309EFDB299F49EC11AB93BA6FB45362F044219FC524F6E2D7B1D9A0DB60

Function 000E6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 000E6ACA

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fa9ba3711c130ef0e6e645a9ad9dedfe4289c155b28c3a1c1f40a5923c99acc7
Instruction ID: c9f3515f39c7bca54f5cf281740566d9c5f3058fbcd5084d2ccaf593cf0fd105
Opcode Fuzzy Hash: fa9ba3711c130ef0e6e645a9ad9dedfe4289c155b28c3a1c1f40a5923c99acc7
Instruction Fuzzy Hash: AAE01235600204AFC740EF99E40499AF7ECAF747A1B04C426E945D7251DAB1E8449B91

Function 000D74BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 000D74DE

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 0937f5a06aec932a992d85f9010e7c376d1cee8d4c5539dc395fa268c69819c8
Instruction ID: f51a10157201dd1ea6887c8a1d8a00896ecadcf91b551592dae011908c7e3b93
Opcode Fuzzy Hash: 0937f5a06aec932a992d85f9010e7c376d1cee8d4c5539dc395fa268c69819c8
Instruction Fuzzy Hash: 13D05EA012C30538ECBB07249C0FFBA0948F3007C1FC0818BB18AC96C2FA8058419032

Function 000FF609 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.USER32(?,00000232,?,?), ref: 000FF649

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: c28f02a9f9286ec139eee9651d3e257280f0f2ebc8e21cd00d4fbb8de8a300a7
Instruction ID: b66a1522001d3a4c4f094ced8dcca0fcb16bd701b2c2203822549687d0e94e06
Opcode Fuzzy Hash: c28f02a9f9286ec139eee9651d3e257280f0f2ebc8e21cd00d4fbb8de8a300a7
Instruction Fuzzy Hash: ACF06D31241349BFDB21DF58DD05FD67BA9EB15720F044004BA216B2E2CBB06860EB60

Function 000AAB4F Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

NtdllDialogWndProc_W.USER32(?,00000007,?,00000000,00000000,?,?), ref: 000AAB7D

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: cf79d11884e87e14eda03802f447941ecd26f3bc9e32a24cc899839986a9786d
Instruction ID: ce8951a73bac3b33dcdbb56d746b22ffff7a5700d18e3e5dc001c540831194c9
Opcode Fuzzy Hash: cf79d11884e87e14eda03802f447941ecd26f3bc9e32a24cc899839986a9786d
Instruction Fuzzy Hash: 78E0EC35540204FBCF19AF90EC11FA83F2AEB49315F148058BA151E6A2CB76A562DB54

Function 000CB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,000CAD3E), ref: 000CB124

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 904381c5cdda56d2290273221cd5fa3e6d8403d5bca70ff6a73826b17e4ae0da
Instruction ID: 9d28762d0f0e1630f90e54546059b5318b7b3162612154aaef8d6343115dfa1f
Opcode Fuzzy Hash: 904381c5cdda56d2290273221cd5fa3e6d8403d5bca70ff6a73826b17e4ae0da
Instruction Fuzzy Hash: 62D05E320A460EAEDF028FA4EC02EAE3F6AEB04700F408110FA11C50A0C671D531AB50

Function 000FF654 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.USER32(?,00000053,?,?,?,0010E4D1,?,?,?,?,?,?), ref: 000FF67F

Part of subcall function 000FE32E: _memset.LIBCMT ref: 000FE33D
Part of subcall function 000FE32E: _memset.LIBCMT ref: 000FE34C
Part of subcall function 000FE32E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00153D00,00153D44), ref: 000FE37B
Part of subcall function 000FE32E: CloseHandle.KERNEL32 ref: 000FE38D

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 3921b15616977f58c7b9f494e320d05271d4ef1ca72a3d816f7e832cd447900c
Instruction ID: 145ef6da9f46617b93f7f539006d3e85d9ca234766fdb674d52223d2dcc9d2b5
Opcode Fuzzy Hash: 3921b15616977f58c7b9f494e320d05271d4ef1ca72a3d816f7e832cd447900c
Instruction Fuzzy Hash: A8E04632100209EFCB02EF04ED49EA93BB6EF08314F014014FA004BAB2CB31ADA0EF40

Function 000FF5AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.USER32 ref: 000FF5D0

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 51a221b58f594fbf7d5b1addd568ccc562c849377307ad541ff6b3ada4e1d087
Instruction ID: 72084c3a8b879659cbee5957d3fb9400b2ba3443ef5e680f534485dfe85cec88
Opcode Fuzzy Hash: 51a221b58f594fbf7d5b1addd568ccc562c849377307ad541ff6b3ada4e1d087
Instruction Fuzzy Hash: 67E0177420430CEFCB01DF84EC44E863BA6EB19310F014054FD044B361C771A870DB61

Function 000FF5DA Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.USER32 ref: 000FF5FF

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: e618273a40353fdcbf9747c83b9336d37c18825c028b146bddff5166ddd337d5
Instruction ID: 6f89895b855bfb3dc141bb0ed4e96f203b98c50c6be52f75ef3a34f6d89d151c
Opcode Fuzzy Hash: e618273a40353fdcbf9747c83b9336d37c18825c028b146bddff5166ddd337d5
Instruction Fuzzy Hash: 79E0E274200208EFCB01DF84E844E863BA6EB19310F014054FD044B262C772A8A0EBA1

Function 000AB715 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

Part of subcall function 000AB73E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,000AB72B), ref: 000AB7F6
Part of subcall function 000AB73E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,000AB72B,00000000,?,?,000AB2EF,?,?), ref: 000AB88D

NtdllDialogWndProc_W.USER32(?,00000002,00000000,00000000,00000000,?,?,000AB2EF,?,?), ref: 000AB734

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 98cbeb7177cb77bb2f9da59328693d3465d672a3dd75050182860b3855c3e30a
Instruction ID: e5457227671410b3797dbba9446d2279a9c073459cd31a268bc9dbbbb357d911
Opcode Fuzzy Hash: 98cbeb7177cb77bb2f9da59328693d3465d672a3dd75050182860b3855c3e30a
Instruction Fuzzy Hash: ACD0123114430CB7DB152B90EE07FC93E5F9B51751F408010BA142D1D3CBB155505568

Function 0010B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0010B352

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 5106e5cd6dfdb26a3aac56c44f23bd98a22846ae5055f9ff8c7ac0563cab9de9
Instruction ID: 242044a72c4a418bf5a8aeb3a45b872a8c7d0d57387ec305510e66dfe04a8937
Opcode Fuzzy Hash: 5106e5cd6dfdb26a3aac56c44f23bd98a22846ae5055f9ff8c7ac0563cab9de9
Instruction Fuzzy Hash: 8BC04CB140010DDFD755CBD0DA449EEB7BCAB08301F114091E145F1150D7709B859B72

Function 000B8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 000B818F

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a13019dd62ef44e3a99c348b1041b9b53d56aee01c54f40b655417706a3bb64d
Instruction ID: da935a94856786da5e1b217c04ccfe9c1d7da06fb53d55bd3f2d01db28e67c0b
Opcode Fuzzy Hash: a13019dd62ef44e3a99c348b1041b9b53d56aee01c54f40b655417706a3bb64d
Instruction Fuzzy Hash: 5DA0223000020CFBCF002F82FC0A8C8BF2CFB002A0B008020F80C00830CB33A8A08AC2

Function 0009E3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f95fab62090980e3323db62b99bb2deb4ca0fdbf2003b8811709d4e50130d9
Instruction ID: 39f3de56a7c30f439e4d120f06db3f3700089147eb2f502e3d0668e762c66965
Opcode Fuzzy Hash: e0f95fab62090980e3323db62b99bb2deb4ca0fdbf2003b8811709d4e50130d9
Instruction Fuzzy Hash: 61227D70A04246DFDF24DF94C850AAEB7F0FF18304F148169E99A9B392E771AD81DB91

Function 000993F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e14060682dedfceadb93c179606473fa7c8b9f24aa11881af4b0a92e0944068
Instruction ID: 12e9eeb3f23bcc6f53cf49893fd911f0262f319c8ea37e11f4bbf5bd26caefe5
Opcode Fuzzy Hash: 1e14060682dedfceadb93c179606473fa7c8b9f24aa11881af4b0a92e0944068
Instruction Fuzzy Hash: A8128B70A00609DFDF14DFA8D995AEEB7F5FF48300F208529E846E7291EB36A950DB50

Function 0009AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 514d640c5b894ee34147354c97ee5a1d83971b3e3827c7e7cc20b27d3c6120fa
Instruction ID: 9ec2b44fa66aeb845707b30ab06ff5ca881263f0e426618b50db2637714eb793
Opcode Fuzzy Hash: 514d640c5b894ee34147354c97ee5a1d83971b3e3827c7e7cc20b27d3c6120fa
Instruction Fuzzy Hash: 2F02C070A00209DFCF14DF68D995AAEBBB5FF49300F108069E806DB296EB35DA51DB91

Function 000B02A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: dc3f780a2ffc7f95ba156e8605b157ccb72ff056862692db2f53e4ba14f0fa6b
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: F3C192722051930ADFAD867A847447FBBE15BA2BF131A076DD8B3CB5E5EF20C524D620

Function 000B06D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 68b804878eef4ea733314d4297d7f45fdc34744b08905c5abcbf7c2b857b82b3
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 9BC191322091930ADFAD867AC43447FFAE25BA2BB131A176DD4B3CB5D5EF20D524D620

Function 000AFE6F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 6796705ed2571f77ba8ada31b6c39a3ef0fbf07489cc2d21ff44f0de98391b39
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: B7C19F322051930ADFAD86BAC43457FBAE25BA37B171A077DD4B2CB5E5EF20C524D620

Function 000AFA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 76beaa0ca9227410b050a56e450515d7b81913b0afbdb1f898e3ef38cecff55f
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 1DC1703220909309DFAD86FAC47443EBAE25BA3BB531A077DD4B2CB5D5EF20D564D620

Function 000FD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 000FD2DB
GetSysColorBrush.USER32(0000000F), ref: 000FD30C
GetSysColor.USER32(0000000F), ref: 000FD318
SetBkColor.GDI32(?,000000FF), ref: 000FD332
SelectObject.GDI32(?,00000000), ref: 000FD341
InflateRect.USER32(?,000000FF,000000FF), ref: 000FD36C
GetSysColor.USER32(00000010), ref: 000FD374
CreateSolidBrush.GDI32(00000000), ref: 000FD37B
FrameRect.USER32(?,?,00000000), ref: 000FD38A
DeleteObject.GDI32(00000000), ref: 000FD391
InflateRect.USER32(?,000000FE,000000FE), ref: 000FD3DC
FillRect.USER32(?,?,00000000), ref: 000FD40E
GetWindowLongW.USER32(?,000000F0), ref: 000FD439

Part of subcall function 000FD575: GetSysColor.USER32(00000012), ref: 000FD5AE
Part of subcall function 000FD575: SetTextColor.GDI32(?,?), ref: 000FD5B2
Part of subcall function 000FD575: GetSysColorBrush.USER32(0000000F), ref: 000FD5C8
Part of subcall function 000FD575: GetSysColor.USER32(0000000F), ref: 000FD5D3
Part of subcall function 000FD575: GetSysColor.USER32(00000011), ref: 000FD5F0
Part of subcall function 000FD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000FD5FE
Part of subcall function 000FD575: SelectObject.GDI32(?,00000000), ref: 000FD60F
Part of subcall function 000FD575: SetBkColor.GDI32(?,00000000), ref: 000FD618
Part of subcall function 000FD575: SelectObject.GDI32(?,?), ref: 000FD625
Part of subcall function 000FD575: InflateRect.USER32(?,000000FF,000000FF), ref: 000FD644
Part of subcall function 000FD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000FD65B
Part of subcall function 000FD575: GetWindowLongW.USER32(00000000,000000F0), ref: 000FD670
Part of subcall function 000FD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000FD698

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 7d900afbba5428b23571d1283c87a267f355323b93d189bc1f49649b03787ee4
Instruction ID: 80842e1df5fdb36e47dba623a91967c0c964e3c3b2ba6839b533f45358ce9d97
Opcode Fuzzy Hash: 7d900afbba5428b23571d1283c87a267f355323b93d189bc1f49649b03787ee4
Instruction Fuzzy Hash: 7F91AF72008305BFC7549F64ED08AAB7BFAFF89325F104A19FA62965E0C730D984DB52

Function 000AB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 000AB98B
DeleteObject.GDI32(00000000), ref: 000AB9CD
DeleteObject.GDI32(00000000), ref: 000AB9D8
DestroyCursor.USER32(00000000), ref: 000AB9E3
DestroyWindow.USER32(00000000), ref: 000AB9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 0010D2AA
6FCB0200.COMCTL32(?,000000FF,?), ref: 0010D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0010D711

Part of subcall function 000AB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000AB759,?,00000000,?,?,?,?,000AB72B,00000000,?), ref: 000ABA58

SendMessageW.USER32 ref: 0010D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0010D76F
6FC90860.COMCTL32(00000000), ref: 0010D785
6FC90860.COMCTL32(00000000), ref: 0010D790

Strings

0, xrefs: 0010D5A5

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: DestroyMessageSendWindow$C90860DeleteObject$B0200CursorInvalidateMoveRect
String ID: 0
API String ID: 2964150976-4108050209
Opcode ID: 628605a6447fc381865745435962c47b735b2b24db4b8ceda74f49c58ce03783
Instruction ID: 7cc5d9335407be39c1493b1e70976ce834baa99be7583521d836cbedf9db00dd
Opcode Fuzzy Hash: 628605a6447fc381865745435962c47b735b2b24db4b8ceda74f49c58ce03783
Instruction Fuzzy Hash: DF127E70104201DFDB25CFA8E984BAAB7F5BF4A304F144569F989CB6A2C771E881CB51

Function 000E9F50 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 000E9F83
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 000EA042
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 000EA080
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 000EA092
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 000EA0D8
GetClientRect.USER32(00000000,?), ref: 000EA0E4
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 000EA128
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 000EA137
GetStockObject.GDI32(00000011), ref: 000EA147
SelectObject.GDI32(00000000,00000000), ref: 000EA14B
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 000EA15B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000EA164
DeleteDC.GDI32(00000000), ref: 000EA16D
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 000EA19B
SendMessageW.USER32(00000030,00000000,00000001), ref: 000EA1B2
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 000EA1ED
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 000EA201
SendMessageW.USER32(00000404,00000001,00000000), ref: 000EA212
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 000EA242
GetStockObject.GDI32(00000011), ref: 000EA24D
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 000EA258
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 000EA262

Strings

DISPLAY, xrefs: 000EA12D
msctls_progress32, xrefs: 000EA1E3
AutoIt v3, xrefs: 000EA0D0
static, xrefs: 000EA122, 000EA23C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 40488327b38d2673b1cfbad534272b68a85bfb443251f311d1678cf91b102805
Instruction ID: 9e1bda7b5aef787334a777170d524991261a8938319131221c8deb55a6c3158e
Opcode Fuzzy Hash: 40488327b38d2673b1cfbad534272b68a85bfb443251f311d1678cf91b102805
Instruction Fuzzy Hash: CBA16D71A40215BFEB14DFA9DD4AFEEBBA9EB05711F008114FA14AB6E0D770AD40CB64

Function 000DDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000DDBD6
GetDriveTypeW.KERNEL32(?,0012DC54,?,\\.\,0012DC00), ref: 000DDCC3
SetErrorMode.KERNEL32(00000000,0012DC54,?,\\.\,0012DC00), ref: 000DDE29

Strings

iSCSI, xrefs: 000DDDCB
ATA, xrefs: 000DDDA1
Fixed, xrefs: 000DDD0B
SSA, xrefs: 000DDDAF
RAID, xrefs: 000DDDC4
USB, xrefs: 000DDDBD
RAMDisk, xrefs: 000DDCED
ATAPI, xrefs: 000DDD9A
FileBackedVirtual, xrefs: 000DDDF5
MMC, xrefs: 000DDDE7
CDROM, xrefs: 000DDCF7
Unknown, xrefs: 000DDCE3, 000DDD8C
PhysicalDrive, xrefs: 000DDC67
\\.\, xrefs: 000DDC2B
Removable, xrefs: 000DDD15
Virtual, xrefs: 000DDDEE
Network, xrefs: 000DDD01
1394, xrefs: 000DDDA8
SCSI, xrefs: 000DDD93
SSD, xrefs: 000DDD50
SATA, xrefs: 000DDDD9
Fibre, xrefs: 000DDDB6
SAS, xrefs: 000DDDD2

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 8a3721ea445dd040c2993dd72e0d0a2e39ff1257773df45b69cadf3634ea9156
Instruction ID: c9550a2afaf56b84c31d03f70ab71b29cba7e8fd46f1ec6fa23de66ca47fdb07
Opcode Fuzzy Hash: 8a3721ea445dd040c2993dd72e0d0a2e39ff1257773df45b69cadf3634ea9156
Instruction Fuzzy Hash: 8F51B230248742ABCA24EF20C88297DB7E2FF94705F20581BF067973A2DB71D945DB62

Function 0009CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0009CC68
__wcsnicmp.LIBCMT ref: 0009CC80
__wcsnicmp.LIBCMT ref: 0009CC98
__wcsnicmp.LIBCMT ref: 0009CCB0
__wcsnicmp.LIBCMT ref: 0009CCC8
__wcsnicmp.LIBCMT ref: 0009CCE0
__wcsnicmp.LIBCMT ref: 0009CCF8
__wcsnicmp.LIBCMT ref: 0009CD0C
__wcsnicmp.LIBCMT ref: 0009CD4D
__wcsnicmp.LIBCMT ref: 0009CD61
__wcsnicmp.LIBCMT ref: 0009CD75
__wcsnicmp.LIBCMT ref: 0009CD89

Strings

#include, xrefs: 0009CCDA
Bad directive syntax error, xrefs: 00102ECB
Cannot parse #include, xrefs: 00102FA1
#OnAutoItStartRegister, xrefs: 0009CCAA
#cs, xrefs: 0009CD06, 0009CD5B
#comments-start, xrefs: 0009CCF2, 0009CD47
#comments-end, xrefs: 0009CD6F
#notrayicon, xrefs: 0009CC7A
#pragma compile, xrefs: 0009CC62
#include-once, xrefs: 0009CCC2
Unterminated group of comments, xrefs: 00102FB4
#requireadmin, xrefs: 0009CC92
#ce, xrefs: 0009CD83

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 5e351b0247c0b4d5e7e5ecd95b142121224936a3c66b78db114bf69f7d5c06ff
Instruction ID: 37a0746dd9a834c1543a43f4478e645f3f7a2cb5afbf812ed40880d8d81b6b28
Opcode Fuzzy Hash: 5e351b0247c0b4d5e7e5ecd95b142121224936a3c66b78db114bf69f7d5c06ff
Instruction Fuzzy Hash: B5812B71A402197BDF24ABA4EC52FFF7769AF25340F044029F945AA1D3EBB0D911D291

Function 000FC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 000FC788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 000FC83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 000FC859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 000FCB15

Strings

0, xrefs: 000FC89C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: f45b67322b82ae8faa1ccacf64e3546a82dbe25fe7a04da9239998bb0bea3b11
Instruction ID: c54f41d7ac9128e619d198d3988da6d8b22b6d7397faaa50752afcba142728af
Opcode Fuzzy Hash: f45b67322b82ae8faa1ccacf64e3546a82dbe25fe7a04da9239998bb0bea3b11
Instruction Fuzzy Hash: 82F1F17010830CAFE3258F24CA4AFBABBE4FF45354F08451DF69896AA1C774D840EB92

Function 000F638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0012DC00), ref: 000F6449

Strings

UNCHECK, xrefs: 000F66A1
SELECTSTRING, xrefs: 000F6626
TABLEFT, xrefs: 000F64A7
GETLINECOUNT, xrefs: 000F66E4
GETCURRENTLINE, xrefs: 000F6704
GETLINE, xrefs: 000F678B
CHECK, xrefs: 000F668B
SENDCOMMANDID, xrefs: 000F67CA
CURRENTTAB, xrefs: 000F64DD
FINDSTRING, xrefs: 000F6596
SHOWDROPDOWN, xrefs: 000F6500
TABRIGHT, xrefs: 000F64BD
ADDSTRING, xrefs: 000F6536
GETCURRENTCOL, xrefs: 000F6724
EDITPASTE, xrefs: 000F675B
ISENABLED, xrefs: 000F648C
GETSELECTED, xrefs: 000F66C1
HIDEDROPDOWN, xrefs: 000F6520
ISCHECKED, xrefs: 000F6659
DELSTRING, xrefs: 000F6569
ISVISIBLE, xrefs: 000F6455
SETCURRENTSELECTION, xrefs: 000F65D6
GETCURRENTSELECTION, xrefs: 000F6603

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 80e00fdb58c4aec2e3c9e4cd7d534c1eb0b471af0672e5f1f9010f5b40463f1c
Instruction ID: e75b244da4e92425f3bde43cc20a8ec9d3be6fd72b61e58d4b8f755ad0827979
Opcode Fuzzy Hash: 80e00fdb58c4aec2e3c9e4cd7d534c1eb0b471af0672e5f1f9010f5b40463f1c
Instruction Fuzzy Hash: 65C190302043499BCA14FF50C551AFE77E5AF95354F00486DF9866B6A3DB22ED0BEB81

Function 000FD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 000FD5AE
SetTextColor.GDI32(?,?), ref: 000FD5B2
GetSysColorBrush.USER32(0000000F), ref: 000FD5C8
GetSysColor.USER32(0000000F), ref: 000FD5D3
CreateSolidBrush.GDI32(?), ref: 000FD5D8
GetSysColor.USER32(00000011), ref: 000FD5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 000FD5FE
SelectObject.GDI32(?,00000000), ref: 000FD60F
SetBkColor.GDI32(?,00000000), ref: 000FD618
SelectObject.GDI32(?,?), ref: 000FD625
InflateRect.USER32(?,000000FF,000000FF), ref: 000FD644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000FD65B
GetWindowLongW.USER32(00000000,000000F0), ref: 000FD670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000FD698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000FD6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 000FD6DD
DrawFocusRect.USER32(?,?), ref: 000FD6E8
GetSysColor.USER32(00000011), ref: 000FD6F6
SetTextColor.GDI32(?,00000000), ref: 000FD6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 000FD712
SelectObject.GDI32(?,000FD2A5), ref: 000FD729
DeleteObject.GDI32(?), ref: 000FD734
SelectObject.GDI32(?,?), ref: 000FD73A
DeleteObject.GDI32(?), ref: 000FD73F
SetTextColor.GDI32(?,?), ref: 000FD745
SetBkColor.GDI32(?,?), ref: 000FD74F

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b4510d183ec03d7a262b07c971ad23226d76cea48ccedb09f570aee018bc377e
Instruction ID: fb69018b62648a805e51972387ad6802401ad3ab095b9c218d6dbc7605b71e04
Opcode Fuzzy Hash: b4510d183ec03d7a262b07c971ad23226d76cea48ccedb09f570aee018bc377e
Instruction Fuzzy Hash: 8E514B71900218BFDB14AFA4ED48AEE7BBAEB08324F108115FA15AB6A1D7759A40DB50

Function 000FB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 000FB7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000FB7C1
CharNextW.USER32(0000014E), ref: 000FB7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 000FB831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 000FB847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000FB858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 000FB875
SetWindowTextW.USER32(?,0000014E), ref: 000FB8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 000FB8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 000FB90E
_memset.LIBCMT ref: 000FB933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 000FB97C
_memset.LIBCMT ref: 000FB9DB
SendMessageW.USER32 ref: 000FBA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 000FBA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 000FBB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 000FBB2C
GetMenuItemInfoW.USER32(?), ref: 000FBB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000FBBA3
DrawMenuBar.USER32(?), ref: 000FBBB2
SetWindowTextW.USER32(?,0000014E), ref: 000FBBDA

Strings

0, xrefs: 000FBB4F

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: ad0eb88f1362cdef4242d829e39771042597409e2759d3e5395f28db548bf14b
Instruction ID: 7683c63ee559012bac09f7d598c6ed07926614bb26ed1b86c6263cae76b29eb7
Opcode Fuzzy Hash: ad0eb88f1362cdef4242d829e39771042597409e2759d3e5395f28db548bf14b
Instruction Fuzzy Hash: DBE1917590021CABDF209FA1DC84EFE7BB8FF05710F108156FA15AA591DBB48A81EF60

Function 000F764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000F778A
GetDesktopWindow.USER32 ref: 000F779F
GetWindowRect.USER32(00000000), ref: 000F77A6
GetWindowLongW.USER32(?,000000F0), ref: 000F7808
DestroyWindow.USER32(?), ref: 000F7834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000F785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000F787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 000F78A1
SendMessageW.USER32(?,00000421,?,?), ref: 000F78B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 000F78C9
IsWindowVisible.USER32(?), ref: 000F78E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 000F7904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 000F7918
GetWindowRect.USER32(?,?), ref: 000F7930
MonitorFromPoint.USER32(?,?,00000002), ref: 000F7956
GetMonitorInfoW.USER32 ref: 000F7970
CopyRect.USER32(?,?), ref: 000F7987
SendMessageW.USER32(?,00000412,00000000), ref: 000F79F2

Strings

tooltips_class32, xrefs: 000F7856
0, xrefs: 000F7735
(, xrefs: 000F7965

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e1ff19eefdc8e642ef8e3647715f1ed6da51fc0037d19ea53c4c65b63d997ef2
Instruction ID: bedea5ddaddac906d360e392aeccc93f61ca6c422e9cc2ab16172a96910943d8
Opcode Fuzzy Hash: e1ff19eefdc8e642ef8e3647715f1ed6da51fc0037d19ea53c4c65b63d997ef2
Instruction Fuzzy Hash: 26B1B071608301AFDB54DF64C948BAABBE5FF88310F00891DF59D9B291DB70E845DB92

Function 000AA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000AA939
GetSystemMetrics.USER32(00000007), ref: 000AA941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000AA96C
GetSystemMetrics.USER32(00000008), ref: 000AA974
GetSystemMetrics.USER32(00000004), ref: 000AA999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000AA9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 000AA9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000AA9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000AAA0D
GetClientRect.USER32(00000000,000000FF), ref: 000AAA2B
GetStockObject.GDI32(00000011), ref: 000AAA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 000AAA52

Part of subcall function 000AB63C: GetCursorPos.USER32(000000FF), ref: 000AB64F
Part of subcall function 000AB63C: ScreenToClient.USER32(00000000,000000FF), ref: 000AB66C
Part of subcall function 000AB63C: GetAsyncKeyState.USER32(00000001), ref: 000AB691
Part of subcall function 000AB63C: GetAsyncKeyState.USER32(00000002), ref: 000AB69F

SetTimer.USER32(00000000,00000000,00000028,000AAB87), ref: 000AAA79

Strings

AutoIt v3 GUI, xrefs: 000AA9F1

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 675be7aea7ead96ed9041f553cb15717b573f6016852064db6fa4416bfd93e0f
Instruction ID: d936adc79b28d0fb859c81ce08fdc395548f8154b754f6a114dda7a3df2ca531
Opcode Fuzzy Hash: 675be7aea7ead96ed9041f553cb15717b573f6016852064db6fa4416bfd93e0f
Instruction Fuzzy Hash: EBB15971A0020AEFDB14DFA8DD45BEE7BB5FB09315F114219FA15AB2D0DBB4A880CB51

Function 00092EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00092F7A
IsWindow.USER32(?), ref: 001022FD

Strings

LAST, xrefs: 001020B6
INSTANCE, xrefs: 0010223C
ALL, xrefs: 00102264
TITLE, xrefs: 00102292
ACTIVE, xrefs: 001020CC
REGEXPCLASS, xrefs: 00102149
CLASS, xrefs: 00102128
HANDLE, xrefs: 001020E2
REGEXPTITLE, xrefs: 001020F8

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 62970417-1919597938
Opcode ID: 01ecef94f4c167e87dfd64ea32669f430cc9930761618f5c79f8e569c2e71097
Instruction ID: db48a73caed3285f4c960fc4f09012019ee49e3f35fab294a0110527f362e0dd
Opcode Fuzzy Hash: 01ecef94f4c167e87dfd64ea32669f430cc9930761618f5c79f8e569c2e71097
Instruction Fuzzy Hash: FDD1E830104342EBCB08EF50C585AEABBB0FF54354F504A2DF499675E2DB70E99ADB91

Function 000F3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000F3735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0012DC00,00000000,?,00000000,?,?), ref: 000F37A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 000F37EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 000F3874
RegCloseKey.ADVAPI32(?), ref: 000F3B94
RegCloseKey.ADVAPI32(00000000), ref: 000F3BA1

Strings

REG_SZ, xrefs: 000F38B2
REG_EXPAND_SZ, xrefs: 000F3811
REG_MULTI_SZ, xrefs: 000F395C
REG_BINARY, xrefs: 000F3B2F
REG_QWORD, xrefs: 000F3AE2
REG_DWORD, xrefs: 000F3A65

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 897f325b851ec2f43c8eb87779523ffad11a13b7e62adc05390851597c360daa
Instruction ID: 8350bbb81cfd0cdb2a7a636caf05233f7528a4e7906c1f0017818510789b4188
Opcode Fuzzy Hash: 897f325b851ec2f43c8eb87779523ffad11a13b7e62adc05390851597c360daa
Instruction Fuzzy Hash: 27026D75204601AFCB14EF28C851A6EB7E5FF88720F04845DF9499B7A2DB31EE01DB81

Function 000F6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000F6C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 000F6D16

Strings

FINDITEM, xrefs: 000F6E81
GETTEXT, xrefs: 000F6CBF
GETITEMCOUNT, xrefs: 000F6C84
SELECT, xrefs: 000F6DA8
ISSELECTED, xrefs: 000F6D21
VIEWCHANGE, xrefs: 000F6ECD
SELECTALL, xrefs: 000F6D75
GETSUBITEMCOUNT, xrefs: 000F6CA1
SELECTCLEAR, xrefs: 000F6D8D
GETSELECTEDCOUNT, xrefs: 000F6CF9
GETSELECTED, xrefs: 000F6E3C
SELECTINVERT, xrefs: 000F6DDE
DESELECT, xrefs: 000F6DFC

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 12439ecdaa57dfba0767fa8c867ce67c95ee447032990d2fc01c93a0140fb2c9
Instruction ID: fca030d99c476894e2ff91693c3a68cda7111bc1e8294590f4a2a4924e17837e
Opcode Fuzzy Hash: 12439ecdaa57dfba0767fa8c867ce67c95ee447032990d2fc01c93a0140fb2c9
Instruction Fuzzy Hash: EEA19E302042459BCB14EF24C952ABEB3E5BF55314F10496DBA966B7D3DB32EC0AEB41

Function 000CCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000CCF91
__swprintf.LIBCMT ref: 000CD032
_wcscmp.LIBCMT ref: 000CD045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000CD09A
_wcscmp.LIBCMT ref: 000CD0D6
GetClassNameW.USER32(?,?,00000400), ref: 000CD10D
GetDlgCtrlID.USER32(?), ref: 000CD15F
GetWindowRect.USER32(?,?), ref: 000CD195
GetParent.USER32(?), ref: 000CD1B3
ScreenToClient.USER32(00000000), ref: 000CD1BA
GetClassNameW.USER32(?,?,00000100), ref: 000CD234
_wcscmp.LIBCMT ref: 000CD248
GetWindowTextW.USER32(?,?,00000400), ref: 000CD26E
_wcscmp.LIBCMT ref: 000CD282

Strings

%s%u, xrefs: 000CD02C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 36c73c2646ab0d1a0fb8449d9bb382130139d5e587c947ae685ad9724df4fd24
Instruction ID: 3a3a483724f6c247a838ce5dbf3120b13a490f72c16c73f4d1877e1084258b76
Opcode Fuzzy Hash: 36c73c2646ab0d1a0fb8449d9bb382130139d5e587c947ae685ad9724df4fd24
Instruction Fuzzy Hash: CDA1BE71604302ABD715DF64C884FEEB7E8FF54354F00852EF99A92191DB30EA46CBA1

Function 000CD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 000CD8EB
_wcscmp.LIBCMT ref: 000CD8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 000CD924
CharUpperBuffW.USER32(?,00000000), ref: 000CD941
_wcscmp.LIBCMT ref: 000CD95F
_wcsstr.LIBCMT ref: 000CD970
GetClassNameW.USER32(00000018,?,00000400), ref: 000CD9A8
_wcscmp.LIBCMT ref: 000CD9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 000CD9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 000CDA28
_wcscmp.LIBCMT ref: 000CDA38
GetClassNameW.USER32(00000010,?,00000400), ref: 000CDA60
GetWindowRect.USER32(00000004,?), ref: 000CDAC9

Strings

ThumbnailClass, xrefs: 000CD9B3, 000CDA33
@, xrefs: 000CD8C6

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: e519f3242667db82c513af7a17e1628d5adce1c05a3b9d4336a2909cd81f234c
Instruction ID: 2bf83110ba764c096565c345debc836c32322d7cfee301f12d4f918cfaf4baf7
Opcode Fuzzy Hash: e519f3242667db82c513af7a17e1628d5adce1c05a3b9d4336a2909cd81f234c
Instruction Fuzzy Hash: D5818A310082059BDB15DF10D985FAE7BE8EF84714F04847EFD8A9A096DB30EE46CBA1

Function 000CD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 000CD753

Strings

LAST, xrefs: 000CD718
[REGEXPTITLE:, xrefs: 000CD77B
HANDLE=, xrefs: 000CD74C
[CLASS:, xrefs: 000CD7A3
ALL, xrefs: 000CD7E7
[HANDLE:, xrefs: 000CD75F
CLASSNAME=, xrefs: 000CD790
[LAST, xrefs: 000CD800
ACTIVE, xrefs: 000CD72E
REGEXP=, xrefs: 000CD768
[ACTIVE, xrefs: 000CD740
[ALL, xrefs: 000CD7F9

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: cf390db82a7670f4c08e1cd49635c3840fea6795021a8bb23b15443ba52e52f0
Instruction ID: a73212c9f3efd339d384627612f6ad22017b8926b928cb2bb6a9ae738ddeb2fa
Opcode Fuzzy Hash: cf390db82a7670f4c08e1cd49635c3840fea6795021a8bb23b15443ba52e52f0
Instruction Fuzzy Hash: AF312E31A48205AADF15EB50DD93FEEB3B59F20711FA0013AF441710E6FF62AA489651

Function 000CEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 000CEAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000CEAC2
SetWindowTextW.USER32(?,?), ref: 000CEAD9
GetDlgItem.USER32(?,000003EA), ref: 000CEAEE
SetWindowTextW.USER32(00000000,?), ref: 000CEAF4
GetDlgItem.USER32(?,000003E9), ref: 000CEB04
SetWindowTextW.USER32(00000000,?), ref: 000CEB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 000CEB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 000CEB45
GetWindowRect.USER32(?,?), ref: 000CEB4E
SetWindowTextW.USER32(?,?), ref: 000CEBB9
GetDesktopWindow.USER32 ref: 000CEBBF
GetWindowRect.USER32(00000000), ref: 000CEBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 000CEC12
GetClientRect.USER32(?,?), ref: 000CEC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 000CEC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 000CEC6F

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 40ace4c83b24859eb1e3df29e31f405594fc8a7db0c9fc9bbc1d1c4bd42c49f2
Instruction ID: fde7950c3f2520d421c9b1630f2b4d9116d33414714817dc49fb2d26f928e410
Opcode Fuzzy Hash: 40ace4c83b24859eb1e3df29e31f405594fc8a7db0c9fc9bbc1d1c4bd42c49f2
Instruction Fuzzy Hash: 84513C71900749AFDB259FA8DE89FAFBBF5FF04705F00492CE686A25A0D774A944CB10

Function 000E79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 000E79C6
LoadCursorW.USER32(00000000,00007F00), ref: 000E79D1
LoadCursorW.USER32(00000000,00007F03), ref: 000E79DC
LoadCursorW.USER32(00000000,00007F8B), ref: 000E79E7
LoadCursorW.USER32(00000000,00007F01), ref: 000E79F2
LoadCursorW.USER32(00000000,00007F81), ref: 000E79FD
LoadCursorW.USER32(00000000,00007F88), ref: 000E7A08
LoadCursorW.USER32(00000000,00007F80), ref: 000E7A13
LoadCursorW.USER32(00000000,00007F86), ref: 000E7A1E
LoadCursorW.USER32(00000000,00007F83), ref: 000E7A29
LoadCursorW.USER32(00000000,00007F85), ref: 000E7A34
LoadCursorW.USER32(00000000,00007F82), ref: 000E7A3F
LoadCursorW.USER32(00000000,00007F84), ref: 000E7A4A
LoadCursorW.USER32(00000000,00007F04), ref: 000E7A55
LoadCursorW.USER32(00000000,00007F02), ref: 000E7A60
LoadCursorW.USER32(00000000,00007F89), ref: 000E7A6B
GetCursorInfo.USER32(?), ref: 000E7A7B

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 88f9599e81f2ffab2c088818ccba46bd787d1aef7c0c409495d37ab54561c3c2
Instruction ID: 914d18828a4891ce9b20ac52feceb1fa02f91c16c250e18e7b21caa0de0a142f
Opcode Fuzzy Hash: 88f9599e81f2ffab2c088818ccba46bd787d1aef7c0c409495d37ab54561c3c2
Instruction Fuzzy Hash: 1D3117B0D083196ADB509FB69C8999FBFE8FF44750F544536E50DF7180DA78A5008F91

Function 0009C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 000AE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0009C8B7,?,00002000,?,?,00000000,?,0009419E,?,?,?,0012DC00), ref: 000AE984

Part of subcall function 0009660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000953B1,?,?,000961FF,?,00000000,00000001,00000000), ref: 0009662F

__wsplitpath.LIBCMT ref: 0009C93E

Part of subcall function 000B1DFC: __wsplitpath_helper.LIBCMT ref: 000B1E3C

_wcscpy.LIBCMT ref: 0009C953
_wcscat.LIBCMT ref: 0009C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0009C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0009CABE

Part of subcall function 0009B337: _wcscpy.LIBCMT ref: 0009B36F

Strings

Error opening the file, xrefs: 001030B4, 0010313D
Bad directive syntax error, xrefs: 00103429
Unterminated string, xrefs: 00103470
AU3!, xrefs: 0009C90C
EA06, xrefs: 001030C9
>>>AUTOIT SCRIPT<<<, xrefs: 0010311B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00103098

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 874b06bd21bcd616a6d8068822358e907c402f8e88b5e9aa42b2459e195ed8e3
Instruction ID: be4f475296039446dffd7fd84100fc9dfdf4650f31e258e4b1b8b4307fbf36b0
Opcode Fuzzy Hash: 874b06bd21bcd616a6d8068822358e907c402f8e88b5e9aa42b2459e195ed8e3
Instruction Fuzzy Hash: D3128C715083419FCB24EF64C881AEFBBE4BF99304F04491EF599972A2DB30DA49DB52

Function 000DFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 000DFA96
_wcschr.LIBCMT ref: 000DFAA4
_wcscpy.LIBCMT ref: 000DFABB
_wcscat.LIBCMT ref: 000DFACA
_wcscat.LIBCMT ref: 000DFAE8
_wcscpy.LIBCMT ref: 000DFB09
__wsplitpath.LIBCMT ref: 000DFBE6
_wcscpy.LIBCMT ref: 000DFC0B
_wcscpy.LIBCMT ref: 000DFC1D
_wcscpy.LIBCMT ref: 000DFC32
_wcscat.LIBCMT ref: 000DFC47
_wcscat.LIBCMT ref: 000DFC59
_wcscat.LIBCMT ref: 000DFC6E

Part of subcall function 000DBFA4: _wcscmp.LIBCMT ref: 000DC03E
Part of subcall function 000DBFA4: __wsplitpath.LIBCMT ref: 000DC083
Part of subcall function 000DBFA4: _wcscpy.LIBCMT ref: 000DC096
Part of subcall function 000DBFA4: _wcscat.LIBCMT ref: 000DC0A9
Part of subcall function 000DBFA4: __wsplitpath.LIBCMT ref: 000DC0CE
Part of subcall function 000DBFA4: _wcscat.LIBCMT ref: 000DC0E4
Part of subcall function 000DBFA4: _wcscat.LIBCMT ref: 000DC0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 000DFA61

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: b128a921eef27cc9a8402d483575b7a92ecee27c892bc2dbb65df5ef3acb5de0
Instruction ID: af9d0bd6381b5f321a1f5c433282c926a4813abc519ffd2ada89f01f70729913
Opcode Fuzzy Hash: b128a921eef27cc9a8402d483575b7a92ecee27c892bc2dbb65df5ef3acb5de0
Instruction Fuzzy Hash: 7E919271504705AFCB20EF54C951EEBB3E9BF44310F04886EF95997292DB31EA54CBA2

Function 000FCE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000FCEFB
DestroyWindow.USER32(00000000,?), ref: 000FCF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000FCFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000FD016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000FD025
DestroyWindow.USER32(?), ref: 000FD042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00090000,00000000), ref: 000FD075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000FD094
GetDesktopWindow.USER32 ref: 000FD0A9
GetWindowRect.USER32(00000000), ref: 000FD0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000FD0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000FD0DA

Part of subcall function 000AB526: GetWindowLongW.USER32(?,000000EB), ref: 000AB537

Strings

tooltips_class32, xrefs: 000FCFED, 000FD06E
0, xrefs: 000FCF1B

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: ead5598431bbeee891438ddf6dc73d043c62f33d76bcd48f9ec94eefd467c5dd
Instruction ID: be8328306ab5ce7c5b3e3afffe2fb987c020687e1fe13588578876b2932092db
Opcode Fuzzy Hash: ead5598431bbeee891438ddf6dc73d043c62f33d76bcd48f9ec94eefd467c5dd
Instruction Fuzzy Hash: F571E175140309AFD725CF28CC85FB677E6EB88704F18491EFA858B6A1DB70E942DB12

Function 000DAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 000DAB3D
VariantCopy.OLEAUT32(?,?), ref: 000DAB46
VariantClear.OLEAUT32(?), ref: 000DAB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 000DAC40
__swprintf.LIBCMT ref: 000DAC70
VarR8FromDec.OLEAUT32(?,?), ref: 000DAC9C
VariantInit.OLEAUT32(?), ref: 000DAD4D
SysFreeString.OLEAUT32(00000016), ref: 000DADDF
VariantClear.OLEAUT32(?), ref: 000DAE35
VariantClear.OLEAUT32(?), ref: 000DAE44
VariantInit.OLEAUT32(00000000), ref: 000DAE80

Strings

Default, xrefs: 000DACFD
%4d%02d%02d%02d%02d%02d, xrefs: 000DAC6A

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 06affe1ee67a69a6ada8801c483168777794d61ec24ebff690926f43b2380e19
Instruction ID: ca406ffd8794022de12bc1fb02e7d376891e343ce3757445d5302f9346ec43b1
Opcode Fuzzy Hash: 06affe1ee67a69a6ada8801c483168777794d61ec24ebff690926f43b2380e19
Instruction Fuzzy Hash: DBD1D031B04315EBDB209FA5D884BADB7B5BF06720F188457E4059B682DB74EC41DBB2

Function 000DBFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000DBDB4: __time64.LIBCMT ref: 000DBDBE

Part of subcall function 00094517: _fseek.LIBCMT ref: 0009452F

__wsplitpath.LIBCMT ref: 000DC083

Part of subcall function 000B1DFC: __wsplitpath_helper.LIBCMT ref: 000B1E3C

_wcscpy.LIBCMT ref: 000DC096
_wcscat.LIBCMT ref: 000DC0A9
__wsplitpath.LIBCMT ref: 000DC0CE
_wcscat.LIBCMT ref: 000DC0E4
_wcscat.LIBCMT ref: 000DC0F7
_wcscmp.LIBCMT ref: 000DC03E

Part of subcall function 000DC56D: _wcscmp.LIBCMT ref: 000DC65D
Part of subcall function 000DC56D: _wcscmp.LIBCMT ref: 000DC670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000DC2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000DC338
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000DC34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000DC35F
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000DC371

Strings

p1Mw`KNw, xrefs: 000DC2A1, 000DC338, 000DC35F, 000DC371

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID: p1Mw`KNw
API String ID: 2378138488-3626030660
Opcode ID: 97643951d1265beea58ee63e23d346e4a8614ce3880ade13f9a4b28c0af5222a
Instruction ID: ace2f1c41fac7feb5dbce41a105cf73ae6e967cec7c603fe8d74ca639d402461
Opcode Fuzzy Hash: 97643951d1265beea58ee63e23d346e4a8614ce3880ade13f9a4b28c0af5222a
Instruction Fuzzy Hash: BDC10BB1900219ABDF21DF95CC81EEEB7BDAF49310F5040A6F609E6252DB709A85CF61

Function 000F716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000F71FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000F7247

Strings

UNCHECK, xrefs: 000F740B
EXPAND, xrefs: 000F72E1
GETTEXT, xrefs: 000F7382
GETITEMCOUNT, xrefs: 000F7311
COLLAPSE, xrefs: 000F728D
GETTOTALCOUNT, xrefs: 000F722A
GETSELECTED, xrefs: 000F733F
CHECK, xrefs: 000F7267
SELECT, xrefs: 000F73E0
ISCHECKED, xrefs: 000F73B2
EXISTS, xrefs: 000F72B0

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 065001dd6c7b7de9e6f81e79a7a40410e6d1f6f3e4aec8d1c0e85c71ab65c397
Instruction ID: bf196fbbb7976100289bc624343688347a0a6e21044013bea94750b067d04994
Opcode Fuzzy Hash: 065001dd6c7b7de9e6f81e79a7a40410e6d1f6f3e4aec8d1c0e85c71ab65c397
Instruction Fuzzy Hash: 1B9195302087059BCB04EF24C551AAEB7E1BF55310F04485DF95A677A3DB31ED06EB82

Function 000FE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 000FE5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,000FBEAF), ref: 000FE607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000FE647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000FE68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000FE6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,000FBEAF), ref: 000FE6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000FE6DF
DestroyCursor.USER32(?), ref: 000FE6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 000FE70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 000FE717

Part of subcall function 000B0FA7: __wcsicmp_l.LIBCMT ref: 000B1030

Strings

.dll, xrefs: 000FE564
.icl, xrefs: 000FE521
.exe, xrefs: 000FE541

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: a91934bec4ccb954ef3854306b6706d3e115911e2fa02e2918cacfed9655e06f
Instruction ID: 6580e668c01a1cb931706c8ddf4edc2dc4390ddd2c8a9bc320de5a395d88dc2d
Opcode Fuzzy Hash: a91934bec4ccb954ef3854306b6706d3e115911e2fa02e2918cacfed9655e06f
Instruction Fuzzy Hash: B3610271600659FBEB24DF64DC42FFE7BA8BB08754F108215FA15D64E1EB709980DBA0

Function 000DD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0009936C: __swprintf.LIBCMT ref: 000993AB
Part of subcall function 0009936C: __itow.LIBCMT ref: 000993DF

CharLowerBuffW.USER32(?,?), ref: 000DD292
GetDriveTypeW.KERNEL32 ref: 000DD2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000DD327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000DD35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000DD38C

Strings

set cd door , xrefs: 000DD32D
close, xrefs: 000DD298
close cd wait, xrefs: 000DD377
open, xrefs: 000DD2B9
open , xrefs: 000DD2EE
closed, xrefs: 000DD2A6, 000DD2AF
type cdaudio alias cd wait, xrefs: 000DD30A
wait, xrefs: 000DD349

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 942cf50c8b61782e253d70866ed892ddf44a288f8918b63f96e830bd9901a984
Instruction ID: 81671b9a4a66b9c1ecf052a464953b551819ef3ad86331db1e7655088254b842
Opcode Fuzzy Hash: 942cf50c8b61782e253d70866ed892ddf44a288f8918b63f96e830bd9901a984
Instruction Fuzzy Hash: 41515F71504305AFC700EF24C9919AEB7E4FF94758F10885DF895A72A2DB31EE06DB52

Function 000D26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00103973,00000016,0000138C,00000016,?,00000016,0012DDB4,00000000,?), ref: 000D26F1
LoadStringW.USER32(00000000,?,00103973,00000016), ref: 000D26FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00103973,00000016,0000138C,00000016,?,00000016,0012DDB4,00000000,?,00000016), ref: 000D271C
LoadStringW.USER32(00000000,?,00103973,00000016), ref: 000D271F
__swprintf.LIBCMT ref: 000D276F
__swprintf.LIBCMT ref: 000D2780
_wprintf.LIBCMT ref: 000D2829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000D2840

Strings

%s (%d) : ==> %s: %s %s, xrefs: 000D2824
^ ERROR, xrefs: 000D27D5
Line %d:, xrefs: 000D277A
Error: , xrefs: 000D27F7
Line %d (File "%s"):, xrefs: 000D2769

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 255e355a5ff36e00adb3654975f63cf5dec0dc0cbf420fd2c038098fa0c3dce6
Instruction ID: 00eb490aaa3f2e33f61c943e8cda1467986083221427843366b4d2c85a52ca6a
Opcode Fuzzy Hash: 255e355a5ff36e00adb3654975f63cf5dec0dc0cbf420fd2c038098fa0c3dce6
Instruction Fuzzy Hash: 50413E72800219BADF15FBE0DE96DEEB778AF15341F500065B60176093EB706F59EB60

Function 000DD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000DD0D8
__swprintf.LIBCMT ref: 000DD0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 000DD137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 000DD15C
_memset.LIBCMT ref: 000DD17B
_wcsncpy.LIBCMT ref: 000DD1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 000DD1EC
CloseHandle.KERNEL32(00000000), ref: 000DD1F7
RemoveDirectoryW.KERNEL32(?), ref: 000DD200
CloseHandle.KERNEL32(00000000), ref: 000DD20A

Strings

:, xrefs: 000DD11B
\, xrefs: 000DD110
\??\%s, xrefs: 000DD0F4

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 12c94f87c4e7efdc886779327c99d384a5386adf3b4ee7c1e7d55200c03716e8
Instruction ID: 79c6e438c7ee4b7a871db49f156139facc432ec573b21cc3785ab08af944a3df
Opcode Fuzzy Hash: 12c94f87c4e7efdc886779327c99d384a5386adf3b4ee7c1e7d55200c03716e8
Instruction Fuzzy Hash: 873190B650020AABDB21DFA0DC49FEB37BCEF89700F1080B6F519D2161EB7096848B34

Function 000FE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,000FBEF4,?,?), ref: 000FE754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,000FBEF4,?,?,00000000,?), ref: 000FE76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,000FBEF4,?,?,00000000,?), ref: 000FE776
CloseHandle.KERNEL32(00000000,?,?,?,?,000FBEF4,?,?,00000000,?), ref: 000FE783
GlobalLock.KERNEL32(00000000), ref: 000FE78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,000FBEF4,?,?,00000000,?), ref: 000FE79B
GlobalUnlock.KERNEL32(00000000), ref: 000FE7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,000FBEF4,?,?,00000000,?), ref: 000FE7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000FBEF4,?,?,00000000,?), ref: 000FE7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0011D9BC,?), ref: 000FE7D5
GlobalFree.KERNEL32(00000000), ref: 000FE7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 000FE809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 000FE834
DeleteObject.GDI32(00000000), ref: 000FE85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 000FE872

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 345418905bc95b9c44798da68cc553b465877804c5ab734b3ed85b4392a27d5d
Instruction ID: f692550e81d69498f24b21f6d055bfe0c3edebc67ec2de1930b768b757808dff
Opcode Fuzzy Hash: 345418905bc95b9c44798da68cc553b465877804c5ab734b3ed85b4392a27d5d
Instruction Fuzzy Hash: 0B414975600208FFDB159F65ED48EAE7BB9EB89711F108058FA1997660DB309D81DB20

Function 000E05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 000E076F
_wcscat.LIBCMT ref: 000E0787
_wcscat.LIBCMT ref: 000E0799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000E07AE
SetCurrentDirectoryW.KERNEL32(?), ref: 000E07C2
GetFileAttributesW.KERNEL32(?), ref: 000E07DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 000E07F4
SetCurrentDirectoryW.KERNEL32(?), ref: 000E0806

Strings

*.*, xrefs: 000E0845

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 24c626e44d4ff0f5bcd65663a2519b9548071982f966c820c7d02b7448de4797
Instruction ID: e35017483d78e86739de2d8dbd36a91a7d2d3ebf812a4402599079d4c3bf6f09
Opcode Fuzzy Hash: 24c626e44d4ff0f5bcd65663a2519b9548071982f966c820c7d02b7448de4797
Instruction Fuzzy Hash: 3B81A4716043819FCB64DF65C845AAEB7E4BBC4304F14882EF485E7251EB70D995CB52

Function 000CA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000CABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000CABD7
Part of subcall function 000CABBB: GetLastError.KERNEL32(?,000CA69F,?,?,?), ref: 000CABE1
Part of subcall function 000CABBB: GetProcessHeap.KERNEL32(00000008,?,?,000CA69F,?,?,?), ref: 000CABF0
Part of subcall function 000CABBB: RtlAllocateHeap.KERNEL32(00000000,?,000CA69F,?,?,?), ref: 000CABF7
Part of subcall function 000CABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000CAC0E

Part of subcall function 000CAC56: GetProcessHeap.KERNEL32(00000008,000CA6B5,00000000,00000000,?,000CA6B5,?), ref: 000CAC62
Part of subcall function 000CAC56: RtlAllocateHeap.KERNEL32(00000000,?,000CA6B5,?), ref: 000CAC69
Part of subcall function 000CAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,000CA6B5,?), ref: 000CAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000CA8CB
_memset.LIBCMT ref: 000CA8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000CA8FF
GetLengthSid.ADVAPI32(?), ref: 000CA910
GetAce.ADVAPI32(?,00000000,?), ref: 000CA94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000CA969
GetLengthSid.ADVAPI32(?), ref: 000CA986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 000CA995
RtlAllocateHeap.KERNEL32(00000000), ref: 000CA99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000CA9BD
CopySid.ADVAPI32(00000000), ref: 000CA9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000CA9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000CAA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000CAA2F

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: bfc7fd65678cc4562639f84d92d1a8b1c894a8da838500f41fd9dd772f3bc4a8
Instruction ID: 1c90cfbebeb221be7b1e361a6b885d9d07dfdea5385c288b61c9b671cac9f0fb
Opcode Fuzzy Hash: bfc7fd65678cc4562639f84d92d1a8b1c894a8da838500f41fd9dd772f3bc4a8
Instruction Fuzzy Hash: 3D514AB1A00209AFDF14DF90DD85EEEBBB9FF09304F048119F911A62A1DB34DA45CB61

Function 000E9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000E9E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 000E9E42
CreateCompatibleDC.GDI32(?), ref: 000E9E4E
SelectObject.GDI32(00000000,?), ref: 000E9E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 000E9EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 000E9EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 000E9F0F
SelectObject.GDI32(00000006,?), ref: 000E9F17
DeleteObject.GDI32(?), ref: 000E9F20
DeleteDC.GDI32(00000006), ref: 000E9F27
ReleaseDC.USER32(00000000,?), ref: 000E9F32

Strings

(, xrefs: 000E9ED7

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: cd2279a6221cac1d190ce36ae8f7f125555c468e89ffee06f2f020bed569d4f3
Instruction ID: 45786b2379e95229a69319a21e3116e790b278964e004c3073d30a840b10ef23
Opcode Fuzzy Hash: cd2279a6221cac1d190ce36ae8f7f125555c468e89ffee06f2f020bed569d4f3
Instruction Fuzzy Hash: 63513875A00349AFCB24CFA9DC85EAEBBB9EF48310F14841DF95AA7210C731A941CB90

Function 000DCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 000DCCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 000DCCC5
__swprintf.LIBCMT ref: 000DCD1E
__swprintf.LIBCMT ref: 000DCD37
_wprintf.LIBCMT ref: 000DCDED
_wprintf.LIBCMT ref: 000DCE0B

Strings

"%s" (%d) : ==> %s:, xrefs: 000DCE06
^ ERROR, xrefs: 000DCD8F
Error: , xrefs: 000DCDB5
"%s" (%d) : ==> %s:%s%s, xrefs: 000DCDE8
Line %d (File "%s"):, xrefs: 000DCD18, 000DCD31

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 035511b698ba4530a66f1a7f82795372454e5de74b48b5acdfe6452f0f98fe64
Instruction ID: 82aaa9499803d588288606a8bf8cf8d9bcb6a668008cc7e5dfbc9c2c81ed2112
Opcode Fuzzy Hash: 035511b698ba4530a66f1a7f82795372454e5de74b48b5acdfe6452f0f98fe64
Instruction Fuzzy Hash: B5517C72800219BADF15EBE0DD56EEEB779AF04304F100166F505721A3EB316F99EB61

Function 000DCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 000DCA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 000DCAB0
__swprintf.LIBCMT ref: 000DCB09
__swprintf.LIBCMT ref: 000DCB22
_wprintf.LIBCMT ref: 000DCBCD
_wprintf.LIBCMT ref: 000DCBEB

Strings

"%s" (%d) : ==> %s:, xrefs: 000DCBE6
Error: , xrefs: 000DCB95
^ ERROR , xrefs: 000DCB64
"%s" (%d) : ==> %s:%s%s, xrefs: 000DCBC8
Line %d (File "%s"):, xrefs: 000DCB03, 000DCB1C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 74968fc5bd797083e16a31d9f6a5fd226e0aaf6b153831b83857a9c3e00ecd7b
Instruction ID: 8a49b5734f0bacac7e79513f9e97814c9c201137a6c2f263939dcfccdf2dc755
Opcode Fuzzy Hash: 74968fc5bd797083e16a31d9f6a5fd226e0aaf6b153831b83857a9c3e00ecd7b
Instruction Fuzzy Hash: 9E516B32900219BADF15EBE0DD42EEEB778AF04344F104066F506721A2EB716F99EF61

Function 000D55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D55D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 000D5664
GetMenuItemCount.USER32(00151708), ref: 000D56ED
DeleteMenu.USER32(00151708,00000005,00000000,000000F5,?,?), ref: 000D577D
DeleteMenu.USER32(00151708,00000004,00000000), ref: 000D5785
DeleteMenu.USER32(00151708,00000006,00000000), ref: 000D578D
DeleteMenu.USER32(00151708,00000003,00000000), ref: 000D5795
GetMenuItemCount.USER32(00151708), ref: 000D579D
SetMenuItemInfoW.USER32(00151708,00000004,00000000,00000030), ref: 000D57D3
GetCursorPos.USER32(?), ref: 000D57DD
SetForegroundWindow.USER32(00000000), ref: 000D57E6
TrackPopupMenuEx.USER32(00151708,00000000,?,00000000,00000000,00000000), ref: 000D57F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000D5805

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: d96b5fef8d277596de0d2c3108dcfa53e5938cd4526664eb847e485983409d3e
Instruction ID: 61da3328614ccc39497bee951ebd9aa150a24e6bd1a374426872127c3fd3a31b
Opcode Fuzzy Hash: d96b5fef8d277596de0d2c3108dcfa53e5938cd4526664eb847e485983409d3e
Instruction Fuzzy Hash: 2171D270640B15BFEB619B14DC49FEABFA5FF00365F244206F918AB2D1C7719850DBA1

Function 000BACB3 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 000BACC1

Part of subcall function 000B7CF4: __mtinitlocknum.LIBCMT ref: 000B7D06
Part of subcall function 000B7CF4: RtlEnterCriticalSection.KERNEL32(00000000,?,000B7ADD,0000000D), ref: 000B7D1F

__calloc_crt.LIBCMT ref: 000BACD2

Part of subcall function 000B6986: __calloc_impl.LIBCMT ref: 000B6995
Part of subcall function 000B6986: Sleep.KERNEL32(00000000,000003BC,000AF507,?,0000000E), ref: 000B69AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 000BACED
GetStartupInfoW.KERNEL32(?,00146E28,00000064,000B5E91,00146C70,00000014), ref: 000BAD46
__calloc_crt.LIBCMT ref: 000BAD91
GetFileType.KERNEL32(00000001), ref: 000BADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 000BAE11

Strings

pI, xrefs: 000BACFD, 000BAD3B

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID: pI
API String ID: 1426640281-2917132990
Opcode ID: 95c9f84fff54a3f1b61da4ebafe3f59ea0fee2cd9ae3d33baba36e8789aa994f
Instruction ID: 71c455c3ce5ed1713e62469fa9c291d3550018bff1b7a62fcaf891d9f8b2bffc
Opcode Fuzzy Hash: 95c9f84fff54a3f1b61da4ebafe3f59ea0fee2cd9ae3d33baba36e8789aa994f
Instruction Fuzzy Hash: 3A81A271A053558FDB24CFA8C8805EDBBF0AF0A325B24426DD4AAAB7D1D734D843CB56

Function 000F3C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,000F2BB5,?,?), ref: 000F3C1D

Strings

HKEY_CURRENT_USER, xrefs: 000F3CE2
HKEY_CLASSES_ROOT, xrefs: 000F3C96
HKCC, xrefs: 000F3CD1
HKCU, xrefs: 000F3CF3
HKEY_LOCAL_MACHINE, xrefs: 000F3C6C
HKLM, xrefs: 000F3C81
HKEY_CURRENT_CONFIG, xrefs: 000F3CC0
HKEY_USERS, xrefs: 000F3D04
HKU, xrefs: 000F3D15
HKCR, xrefs: 000F3CAB

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 7f83165c67c3cf5808980e5a54b1e692dd5a375fc5df78f8422fadd7bd8c5ae1
Instruction ID: 4da761e3fd621de191d31b2d680a0e097c6c4050313842fe824e8ff1f3d5faa7
Opcode Fuzzy Hash: 7f83165c67c3cf5808980e5a54b1e692dd5a375fc5df78f8422fadd7bd8c5ae1
Instruction Fuzzy Hash: B4414D3011028E8BDF54EF50E951AFB3365AF22360F104814FE556B6A2EB70AE0ADF50

Function 000D25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001036F4,00000010,?,Bad directive syntax error,0012DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 000D25D6
LoadStringW.USER32(00000000,?,001036F4,00000010), ref: 000D25DD
_wprintf.LIBCMT ref: 000D2610
__swprintf.LIBCMT ref: 000D2632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000D26A1

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 000D260B
., xrefs: 000D2687
Error: , xrefs: 000D266F
Line %d:, xrefs: 000D262C
Line %d (File "%s"):, xrefs: 000D2647

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 8a84249c980654c02ca3132daad6049b4d7830bf7f31bb7d95f23a3fe5be1ee9
Instruction ID: 42701b7782431cbad6bd947a6e508eee2dfbe92ab54dfbc564433e33eb557cde
Opcode Fuzzy Hash: 8a84249c980654c02ca3132daad6049b4d7830bf7f31bb7d95f23a3fe5be1ee9
Instruction Fuzzy Hash: 15215E3180031ABFDF12AF90CC5AEEE7779BF18304F044455F515660A3EB71A664EB60

Function 000D7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000D7B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000D7B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000D7B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 000D7B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 000D7B8C

Strings

play PlayMe, xrefs: 000D7B87
alias PlayMe, xrefs: 000D7B1B
status PlayMe mode, xrefs: 000D7B3D
close PlayMe, xrefs: 000D7B53, 000D7B80
open , xrefs: 000D7AF1
play PlayMe wait, xrefs: 000D7B76

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: b60643e8026d95eed75a4547afe3e6cb161759aecb7dec8a409b25b66799bcf3
Instruction ID: f2bd4c218d4e49b05269807e4f9c1aac110e861d47489103d198bcbb8f4f93c6
Opcode Fuzzy Hash: b60643e8026d95eed75a4547afe3e6cb161759aecb7dec8a409b25b66799bcf3
Instruction Fuzzy Hash: E411ABA1A5025979DB24B7A5CC4ADFFBABCEFD1B10F00041B7465A31D1EF601A45C6B1

Function 000D778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000D7794

Part of subcall function 000ADC38: timeGetTime.WINMM(?,7707B400,001058AB), ref: 000ADC3C

Sleep.KERNEL32(0000000A), ref: 000D77C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 000D77E4
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 000D7806
SetActiveWindow.USER32 ref: 000D7825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000D7833
SendMessageW.USER32(00000010,00000000,00000000), ref: 000D7852
Sleep.KERNEL32(000000FA), ref: 000D785D
IsWindow.USER32 ref: 000D7869
EndDialog.USER32(00000000), ref: 000D787A

Strings

BUTTON, xrefs: 000D77F8

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8ef40a7f3bf0284d54bc8b1bda3d4b040598ef8c62bd48c78a98ff2dadb294a5
Instruction ID: b8ee9c0fefcfc372da10a8e3c3bc2053bc7c843c8e4d6ecf6d0024b4923402b5
Opcode Fuzzy Hash: 8ef40a7f3bf0284d54bc8b1bda3d4b040598ef8c62bd48c78a98ff2dadb294a5
Instruction Fuzzy Hash: 93219270208705EFE3455B20FC89A667F69FB0438AF404066F5198BA62FF718D80DA31

Function 000E02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0009936C: __swprintf.LIBCMT ref: 000993AB
Part of subcall function 0009936C: __itow.LIBCMT ref: 000993DF

CoInitialize.OLE32(00000000), ref: 000E034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 000E03DE
SHGetDesktopFolder.SHELL32(?), ref: 000E03F2
CoCreateInstance.OLE32(0011DA8C,00000000,00000001,00143CF8,?), ref: 000E043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 000E04AD
CoTaskMemFree.OLE32(?,?), ref: 000E0505
_memset.LIBCMT ref: 000E0542
SHBrowseForFolderW.SHELL32(?), ref: 000E057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 000E05A1
CoTaskMemFree.OLE32(00000000), ref: 000E05A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 000E05DF
CoUninitialize.OLE32(00000001,00000000), ref: 000E05E1

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: f6704f0b5c89aa754564401c3c6eb7dea39174146e5e542e72472a6fec8fcd05
Instruction ID: 54982505a6ae667248bc6d30b3172123c4790af048dc931079f726022a0900e6
Opcode Fuzzy Hash: f6704f0b5c89aa754564401c3c6eb7dea39174146e5e542e72472a6fec8fcd05
Instruction Fuzzy Hash: AEB1E975A00209AFDB04DFA5D889DAEBBB9FF48304B148469F805EB251DB71EE81CF50

Function 000D2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000D2ED6
SetKeyboardState.USER32(?), ref: 000D2F41
GetAsyncKeyState.USER32(000000A0), ref: 000D2F61
GetKeyState.USER32(000000A0), ref: 000D2F78
GetAsyncKeyState.USER32(000000A1), ref: 000D2FA7
GetKeyState.USER32(000000A1), ref: 000D2FB8
GetAsyncKeyState.USER32(00000011), ref: 000D2FE4
GetKeyState.USER32(00000011), ref: 000D2FF2
GetAsyncKeyState.USER32(00000012), ref: 000D301B
GetKeyState.USER32(00000012), ref: 000D3029
GetAsyncKeyState.USER32(0000005B), ref: 000D3052
GetKeyState.USER32(0000005B), ref: 000D3060

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: df5db01c850e91ec9358138c275b386dc564d3a31b440e152c0484156b9840d8
Instruction ID: b2414f5bd9df46688301d9fedcd23ca625a04a3da1a48e365944b80249413ce4
Opcode Fuzzy Hash: df5db01c850e91ec9358138c275b386dc564d3a31b440e152c0484156b9840d8
Instruction Fuzzy Hash: C951C664A0479829FB75EBA488117EABFF45F21340F08859FD5C2563C3DA649B8CCB72

Function 000CED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 000CED1E
GetWindowRect.USER32(00000000,?), ref: 000CED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 000CED8E
GetDlgItem.USER32(?,00000002), ref: 000CED99
GetWindowRect.USER32(00000000,?), ref: 000CEDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 000CEE01
GetDlgItem.USER32(?,000003E9), ref: 000CEE0F
GetWindowRect.USER32(00000000,?), ref: 000CEE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 000CEE63
GetDlgItem.USER32(?,000003EA), ref: 000CEE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000CEE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 000CEE9B

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 4d4c6f9d3f94e6a78d508330e32713f3e59f077cd9ec8827121051839860e462
Instruction ID: 75b077519a12c0e9c27adf449e41ef34525a6a20ab54e4695e049a12fb6c9e37
Opcode Fuzzy Hash: 4d4c6f9d3f94e6a78d508330e32713f3e59f077cd9ec8827121051839860e462
Instruction Fuzzy Hash: 2E51FBB1B00205AFDB18CF69DD89EAEBBBAEB88701F14812DF51AD7290D7709D40CB10

Function 000AB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000AB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000AB759,?,00000000,?,?,?,?,000AB72B,00000000,?), ref: 000ABA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,000AB72B), ref: 000AB7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,000AB72B,00000000,?,?,000AB2EF,?,?), ref: 000AB88D
DestroyAcceleratorTable.USER32(00000000), ref: 0010D8A6
6FC90860.COMCTL32(00000000,?,00000000,?,?,?,?,000AB72B,00000000,?,?,000AB2EF,?,?), ref: 0010D8D7
6FC90860.COMCTL32(00000000,?,00000000,?,?,?,?,000AB72B,00000000,?,?,000AB2EF,?,?), ref: 0010D8EE
6FC90860.COMCTL32(00000000,?,00000000,?,?,?,?,000AB72B,00000000,?,?,000AB2EF,?,?), ref: 0010D90A
DeleteObject.GDI32(00000000), ref: 0010D91C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: C90860$Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2575793101-0
Opcode ID: 5c4080691ec5b109f9dd8790ef01fd0d1b6ff51118a687947127fee8a05ba17a
Instruction ID: 3f57d6aeb7cf06c05692747bf989d8ebc608bd1746f5c9270384b6561c51a246
Opcode Fuzzy Hash: 5c4080691ec5b109f9dd8790ef01fd0d1b6ff51118a687947127fee8a05ba17a
Instruction Fuzzy Hash: CA616D30501700EFDB369F98E988B69B7F5FF96316F144519E4868A9A2CBB4A8D0DF40

Function 000AB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 000AB526: GetWindowLongW.USER32(?,000000EB), ref: 000AB537

GetSysColor.USER32(0000000F), ref: 000AB438

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3e93e9ef2adcbad8a50bd362f89b91d25061a503491082a17e214a89ef1c8596
Instruction ID: 80d1435023092852dbaa60f866526c259ac95c57ef0284adb0d15a029dd88154
Opcode Fuzzy Hash: 3e93e9ef2adcbad8a50bd362f89b91d25061a503491082a17e214a89ef1c8596
Instruction Fuzzy Hash: 6C41A430040140AFDB255FB8EC89BF93BA6AB0A731F1482A1FDA58E5E7D7708C81D721

Function 000D690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 000D6923
_wcscpy.LIBCMT ref: 000D6934
__wsplitpath.LIBCMT ref: 000D6958
__wsplitpath.LIBCMT ref: 000D6979
_wcscpy.LIBCMT ref: 000D699B
_wcscpy.LIBCMT ref: 000D69B9
_wcscpy.LIBCMT ref: 000D69C7
_wcscat.LIBCMT ref: 000D69D6
_wcscat.LIBCMT ref: 000D6A2B
_wcscat.LIBCMT ref: 000D6A61
_wcscat.LIBCMT ref: 000D6A73

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 4ef4a22eebb5b82c7edebc8d737c77c8cb3a181e542aeb70130ad8845bae262c
Instruction ID: afc899b71340ab043fc383a03a40d5683c7e8bcad5d37293cfe4fa13b0bd6fed
Opcode Fuzzy Hash: 4ef4a22eebb5b82c7edebc8d737c77c8cb3a181e542aeb70130ad8845bae262c
Instruction Fuzzy Hash: 7741127684521CAECF61DB94CC85DDFB3BDEB44300F0041A7B659A2151EB31ABE98F61

Function 000DD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0012DC00,0012DC00,0012DC00), ref: 000DD7CE
GetDriveTypeW.KERNEL32(?,00143A70,00000061), ref: 000DD898
_wcscpy.LIBCMT ref: 000DD8C2

Strings

all, xrefs: 000DD7D4
ramdisk, xrefs: 000DD842
removable, xrefs: 000DD800
unknown, xrefs: 000DD859
fixed, xrefs: 000DD816
cdrom, xrefs: 000DD7EA
network, xrefs: 000DD82C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 48315bec855f2fe86ca0b27e5575874b6df780bbfbe61d5887dd954451c4d9e3
Instruction ID: 900a569f341c1fa69bac37597be6635001e6a8650ec54d1bf4a7703ef63381bc
Opcode Fuzzy Hash: 48315bec855f2fe86ca0b27e5575874b6df780bbfbe61d5887dd954451c4d9e3
Instruction Fuzzy Hash: 2B518F31144340AFC711EF14D992AEEB7A5EF85314F20882FF5AA572A2EB31DD05DA52

Function 0009936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 000993AB
__itow.LIBCMT ref: 000993DF

Part of subcall function 000B1557: _xtow@16.LIBCMT ref: 000B1578

Strings

0x%p, xrefs: 00104CAD
False, xrefs: 00104C93
True, xrefs: 00104C8C
%.15g, xrefs: 000993A5

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: ea79228199aad67050469407768e38ee6d23761e3214e1ba534b9d9b58173e9d
Instruction ID: 430d16525440bf05e1377fad27ae8abe10b7af1e2fe55d6ae0fbbbc8fd0fe1bb
Opcode Fuzzy Hash: ea79228199aad67050469407768e38ee6d23761e3214e1ba534b9d9b58173e9d
Instruction Fuzzy Hash: 4E41A571504205ABEB24DF78D981EFAB3E8EF49300F24846EE58AD71D2EB719A41DB50

Function 000FA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 000FA259
CreateCompatibleDC.GDI32(00000000), ref: 000FA260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 000FA273
SelectObject.GDI32(00000000,00000000), ref: 000FA27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 000FA286
DeleteDC.GDI32(00000000), ref: 000FA28F
GetWindowLongW.USER32(?,000000EC), ref: 000FA299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 000FA2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 000FA2B9

Strings

static, xrefs: 000FA1F1

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 9174da9c95b5a0cc5797325a4f9c4f639a4c1f85d1bb5385d7f7d556bd7158a5
Instruction ID: 0e3de3d02680ba05ad87cd422f2b9b7a3eef379a199bf3d79f2f632f6350cfc2
Opcode Fuzzy Hash: 9174da9c95b5a0cc5797325a4f9c4f639a4c1f85d1bb5385d7f7d556bd7158a5
Instruction Fuzzy Hash: 11319071200219BFDF159FA4ED49FEA3BA9FF0A360F110214FA19A64A0C735D851EB65

Function 000D6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000D6F1D
gethostname.WSOCK32(?,00000100), ref: 000D6F37
gethostbyname.WSOCK32(?), ref: 000D6F44
_wcscpy.LIBCMT ref: 000D6F6C
inet_ntoa.WSOCK32(?), ref: 000D6F8A
_strcat.LIBCMT ref: 000D6F98
_wcscpy.LIBCMT ref: 000D6FAF
WSACleanup.WSOCK32 ref: 000D6FBD
_wcscpy.LIBCMT ref: 000D6FCB

Strings

0.0.0.0, xrefs: 000D6F66

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: a91c7a0d07a51e895c6b4b27fef768a06d8c7452ddd5b72dd63df966434ba752
Instruction ID: f6e96375bef2677e4384afb8d12b834bae198117d5f661e9ebdf3ff29e31bdf3
Opcode Fuzzy Hash: a91c7a0d07a51e895c6b4b27fef768a06d8c7452ddd5b72dd63df966434ba752
Instruction Fuzzy Hash: C9110671904219AFCB24AB70EC4AEDA77BCEF40710F0040B6F145A61D2EF75DAC58B60

Function 000B500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000B5047

Part of subcall function 000B7C0E: __getptd_noexit.LIBCMT ref: 000B7C0E

__gmtime64_s.LIBCMT ref: 000B50E0
__gmtime64_s.LIBCMT ref: 000B5116
__gmtime64_s.LIBCMT ref: 000B5133
__allrem.LIBCMT ref: 000B5189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000B51A5
__allrem.LIBCMT ref: 000B51BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000B51DA
__allrem.LIBCMT ref: 000B51F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000B520F
__invoke_watson.LIBCMT ref: 000B5280

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 747a4469c46422260e6a21cb04a81a0c3281b8c41c8b7bf8cf3992b900df535b
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 2971F572A01F16ABE714AF78CC81BEE73E8AF05365F144269F510D6682E774DD408BD0

Function 000D4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D4DF8
GetMenuItemInfoW.USER32(00151708,000000FF,00000000,00000030), ref: 000D4E59
SetMenuItemInfoW.USER32(00151708,00000004,00000000,00000030), ref: 000D4E8F
Sleep.KERNEL32(000001F4), ref: 000D4EA1
GetMenuItemCount.USER32(?), ref: 000D4EE5
GetMenuItemID.USER32(?,00000000), ref: 000D4F01
GetMenuItemID.USER32(?,-00000001), ref: 000D4F2B
GetMenuItemID.USER32(?,?), ref: 000D4F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000D4FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000D4FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000D4FEB

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 16d54a7c9e9af1566ed645d9faebfb78fa4bb973da530bacb2578cd78411ed85
Instruction ID: 007eebdbf7fdf8f887951225d8c49b7f916a5e269bf8f76a247fc345f3eb99ae
Opcode Fuzzy Hash: 16d54a7c9e9af1566ed645d9faebfb78fa4bb973da530bacb2578cd78411ed85
Instruction Fuzzy Hash: BE618D71900359AFDB61CFA8D988AEE7BF9EB41309F14406AF841A73A1D731AD45CB31

Function 000F9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000F9C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 000F9C9B
GetWindowLongW.USER32(?,000000F0), ref: 000F9CBF
_memset.LIBCMT ref: 000F9CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000F9CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 000F9D5A

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 83235956aec2cdf2e7505e84f960f5be7c87f810ac1c88dfd8762c29708d8f1a
Instruction ID: b823cb6cacc6f5fb54a46c658ffc0c75dced37a112a339be7de81be0ba88048d
Opcode Fuzzy Hash: 83235956aec2cdf2e7505e84f960f5be7c87f810ac1c88dfd8762c29708d8f1a
Instruction Fuzzy Hash: 5E617B75900208AFDB21DFA8CC81FFEB7B8EB09704F14415AFA15AB292D7B0A945DB50

Function 000C94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 000C94FE
SafeArrayAllocData.OLEAUT32(?), ref: 000C9549
VariantInit.OLEAUT32(?), ref: 000C955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 000C957B
VariantCopy.OLEAUT32(?,?), ref: 000C95BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 000C95D2
VariantClear.OLEAUT32(?), ref: 000C95E7
SafeArrayDestroyData.OLEAUT32(?), ref: 000C95F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000C95FD
VariantClear.OLEAUT32(?), ref: 000C960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000C961A

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d3dfd212891168713df7c021b7e46f73b1670e543546a7a243f079d814026219
Instruction ID: 36fb3e7520898a90e662798141d0499c95a093f3fde2f83f9f97da28a023bb0a
Opcode Fuzzy Hash: d3dfd212891168713df7c021b7e46f73b1670e543546a7a243f079d814026219
Instruction Fuzzy Hash: 4B414431A00219EFCB05DFA4D848DDDBBB9FF08354F008069E501A3A51DB31EA85CBA0

Function 000EADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0009936C: __swprintf.LIBCMT ref: 000993AB
Part of subcall function 0009936C: __itow.LIBCMT ref: 000993DF

CoInitialize.OLE32 ref: 000EADF6
CoUninitialize.OLE32 ref: 000EAE01
CoCreateInstance.OLE32(?,00000000,00000017,0011D8FC,?), ref: 000EAE61
IIDFromString.OLE32(?,?), ref: 000EAED4
VariantInit.OLEAUT32(?), ref: 000EAF6E
VariantClear.OLEAUT32(?), ref: 000EAFCF

Strings

NULL Pointer assignment, xrefs: 000EAEA6
Invalid parameter, xrefs: 000EAEED
Failed to create object, xrefs: 000EAE6C, 000EAF22

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 7085352863c56ed26d0fed77f9f02623f936d8c1aed4eb0642ac74f0647a152e
Instruction ID: 404adb65d6f224e05dfdce8fbce71459c736929d6ec595ce1c775b8d339585a6
Opcode Fuzzy Hash: 7085352863c56ed26d0fed77f9f02623f936d8c1aed4eb0642ac74f0647a152e
Instruction Fuzzy Hash: A8618D71308351AFD720DF95D845BAEB7E8AF8A714F104419F985AB2A2C770ED48CB93

Function 000E8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000E8168
inet_addr.WSOCK32(?,?,?), ref: 000E81AD
gethostbyname.WSOCK32(?), ref: 000E81B9
IcmpCreateFile.IPHLPAPI ref: 000E81C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000E8237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000E824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 000E82C2
WSACleanup.WSOCK32 ref: 000E82C8

Strings

Ping, xrefs: 000E81EB

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 166349593480ac11ad0dc82f6e7c8a25ec381f421e2b7f252481455b12dd3dae
Instruction ID: 92fd08cc16f9b5a93967da338ed29a2687ce89c5a94279f37b7506c0360761ed
Opcode Fuzzy Hash: 166349593480ac11ad0dc82f6e7c8a25ec381f421e2b7f252481455b12dd3dae
Instruction Fuzzy Hash: 5351C031604701AFDB20AF65DD45BAAB7E4EF49310F04C869FA59EB2E1DB30E801CB41

Function 000F9E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000F9E5B
CreateMenu.USER32 ref: 000F9E76
SetMenu.USER32(?,00000000), ref: 000F9E85
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000F9F12
IsMenu.USER32(?), ref: 000F9F28
CreatePopupMenu.USER32 ref: 000F9F32
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000F9F63
DrawMenuBar.USER32 ref: 000F9F71

Strings

0, xrefs: 000F9E54

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: 8037ba20e4827d0a2564d48ae3b726057e9e3f446e723cb1ce6fe805acb2148c
Instruction ID: 17109c336ad5c28c792f99016671d7d2fce05b0f8ccf6a43b97cd2caa9f41e85
Opcode Fuzzy Hash: 8037ba20e4827d0a2564d48ae3b726057e9e3f446e723cb1ce6fe805acb2148c
Instruction Fuzzy Hash: 8D4155B4A00209EFDB60DFA4E944BEABBF6FF48304F144028EA45A7760D770A954DF50

Function 000DE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000DE396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 000DE40C
GetLastError.KERNEL32 ref: 000DE416
SetErrorMode.KERNEL32(00000000,READY), ref: 000DE483

Strings

NOTREADY, xrefs: 000DE442
READY, xrefs: 000DE45C
INVALID, xrefs: 000DE455
READONLY, xrefs: 000DE44E
UNKNOWN, xrefs: 000DE43B

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ad58b778e9829a0df579969121bde77ede189a1339977fd7c52e9d4c45fd9db9
Instruction ID: b8853a6a8c49acb8e06a654c16b5320b8c92e7c21e01e1afbd9adda8672d141c
Opcode Fuzzy Hash: ad58b778e9829a0df579969121bde77ede189a1339977fd7c52e9d4c45fd9db9
Instruction Fuzzy Hash: 12318135A00349AFDB15EBA4D985FEEB7B4EF04300F148027F515AB392D771AA41D7A1

Function 000CB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 000CB98C
GetDlgCtrlID.USER32 ref: 000CB997
GetParent.USER32 ref: 000CB9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 000CB9B6
GetDlgCtrlID.USER32(?), ref: 000CB9BF
GetParent.USER32(?), ref: 000CB9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 000CB9DE

Strings

ListBox, xrefs: 000CB949
ComboBox, xrefs: 000CB911

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: b15f6cfe2cb181841dca55bdde72efae0284fc4c82ddaa64223e0885a854aa30
Instruction ID: c755ef611ffa1f999385c0fa5b9e324ffcc706a083429745d279585b53964fc7
Opcode Fuzzy Hash: b15f6cfe2cb181841dca55bdde72efae0284fc4c82ddaa64223e0885a854aa30
Instruction Fuzzy Hash: ED21A175900104BFDF04ABA4DC96EFEBBB5EF49300F10411AF651A32A2DB749855DB60

Function 000CB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 000CBA73
GetDlgCtrlID.USER32 ref: 000CBA7E
GetParent.USER32 ref: 000CBA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 000CBA9D
GetDlgCtrlID.USER32(?), ref: 000CBAA6
GetParent.USER32(?), ref: 000CBAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 000CBAC5

Strings

ListBox, xrefs: 000CBA32
ComboBox, xrefs: 000CB9FA

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 21ac8000f985d3292c493bdf020fb5088827dc8985d25abb1a69b9404cad79d0
Instruction ID: a2508f8097128b5cd3e46e7188a787d1ec9a186355d93d0a31dac7048543721b
Opcode Fuzzy Hash: 21ac8000f985d3292c493bdf020fb5088827dc8985d25abb1a69b9404cad79d0
Instruction Fuzzy Hash: 0521B3B5940104BFDF04AB64DC86FFEBBB5EF49300F14401AF551931A2DB759955DB20

Function 000CBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000CBAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 000CBAF8
_wcscmp.LIBCMT ref: 000CBB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000CBB85

Strings

largeicons, xrefs: 000CBB19
SHELLDLL_DefView, xrefs: 000CBB04
list, xrefs: 000CBB67
details, xrefs: 000CBB33
smallicons, xrefs: 000CBB4D

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: e34e33dc6181f0ed27f14d3719886cbb0302d381ffc5f7e7404d9cfad6ff5cfe
Instruction ID: cedef33e545e84986c502962cfcf566f594820c89509ead21e1ea98a1f064d54
Opcode Fuzzy Hash: e34e33dc6181f0ed27f14d3719886cbb0302d381ffc5f7e7404d9cfad6ff5cfe
Instruction Fuzzy Hash: 4511E776708303F9FA246720AC07EEF37AD9F11320F204029FA08E54E6EFE15C918514

Function 000EB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000EB2D5
CoInitialize.OLE32(00000000), ref: 000EB302
CoUninitialize.OLE32 ref: 000EB30C
GetRunningObjectTable.OLE32(00000000,?), ref: 000EB40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 000EB539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 000EB56D
CoGetObject.OLE32(?,00000000,0011D91C,?), ref: 000EB590
SetErrorMode.KERNEL32(00000000), ref: 000EB5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000EB623
VariantClear.OLEAUT32(0011D91C), ref: 000EB633

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 24c2929266403e361a91dd2425ac0769455bbd28a4130417136fc791567f291d
Instruction ID: 29f4738a76c2c7e380badad73dbf060c65f59669595d1b8ed18e3c63d458f8f4
Opcode Fuzzy Hash: 24c2929266403e361a91dd2425ac0769455bbd28a4130417136fc791567f291d
Instruction Fuzzy Hash: CBC124B1608341AFC704DF69C884AABB7E9FF88308F00491DF58AAB251DB71ED45CB52

Function 000D67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 000D67FD
__swprintf.LIBCMT ref: 000D680A

Part of subcall function 000B172B: __woutput_l.LIBCMT ref: 000B1784

FindResourceW.KERNEL32(?,?,0000000E), ref: 000D6834
LoadResource.KERNEL32(?,00000000), ref: 000D6840
LockResource.KERNEL32(00000000), ref: 000D684D
FindResourceW.KERNEL32(?,?,00000003), ref: 000D686D
LoadResource.KERNEL32(?,00000000), ref: 000D687F
SizeofResource.KERNEL32(?,00000000), ref: 000D688E
LockResource.KERNEL32(?), ref: 000D689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 000D68F9

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 9837837e72159b16507a949174f00f1918542211a343883d5fb78c5812b74dbe
Instruction ID: 5e52ddb3d8f8c14163d1e15eae9d3cb15d80644e0ebb4c5bd843bc15e2c910f0
Opcode Fuzzy Hash: 9837837e72159b16507a949174f00f1918542211a343883d5fb78c5812b74dbe
Instruction Fuzzy Hash: 59318E71A0031AABDB159F60ED59AFF7BB8EF08341B008526F912D6250EB35D951EBB0

Function 000D4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000D4047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,000D30A5,?,00000001), ref: 000D405B
GetWindowThreadProcessId.USER32(00000000), ref: 000D4062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000D30A5,?,00000001), ref: 000D4071
GetWindowThreadProcessId.USER32(?,00000000), ref: 000D4083
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000D30A5,?,00000001), ref: 000D409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000D30A5,?,00000001), ref: 000D40AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,000D30A5,?,00000001), ref: 000D40F3
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,000D30A5,?,00000001), ref: 000D4108
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,000D30A5,?,00000001), ref: 000D4113

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 43443a99da567640dfc51f8e894dc0e23cf7d26898941868ddf0e3581563e663
Instruction ID: d1f6035a62e37d8eb1d3f0f36e141d23ca276c14e8a45103fe6ced3a2351b8cf
Opcode Fuzzy Hash: 43443a99da567640dfc51f8e894dc0e23cf7d26898941868ddf0e3581563e663
Instruction Fuzzy Hash: 80318C75500304EFDB25DB54EC8ABA977EAAB54392F108017FA14AB690CBB49AC0CB70

Function 0010DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000AB496
SetTextColor.GDI32(?,000000FF), ref: 000AB4A0
SetBkMode.GDI32(?,00000001), ref: 000AB4B5
GetStockObject.GDI32(00000005), ref: 000AB4BD
GetClientRect.USER32(?), ref: 0010DD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 0010DD7A
GetWindowDC.USER32(?), ref: 0010DD86
GetPixel.GDI32(00000000,?,?), ref: 0010DD95
ReleaseDC.USER32(?,00000000), ref: 0010DDA7
GetSysColor.USER32(00000005), ref: 0010DDC5

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 3320f75732ea2adae1a2ef769dc9ba639b8f62a3f8fc6529ca8fd7cee606a6ad
Instruction ID: bf7226346a29089feb5296b668ae00d0c1fec8cef23ced5a84ad3a6898344845
Opcode Fuzzy Hash: 3320f75732ea2adae1a2ef769dc9ba639b8f62a3f8fc6529ca8fd7cee606a6ad
Instruction Fuzzy Hash: 3D114631500205FFDB656BB4FD08BE97BB2EB09325F108625FA66994E2CB714981EF21

Function 000CCB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,000CCF50), ref: 000CCE90

Strings

TEXT, xrefs: 000CCDC7
CLASSNN, xrefs: 000CCC33
NAME, xrefs: 000CCCC2
INSTANCE, xrefs: 000CCD9E
REGEXPCLASS, xrefs: 000CCC56
CLASS, xrefs: 000CCC10

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 69d2096ee618c6d0f7d258b321201578a07b81345731d6d3a9d57186968f047d
Instruction ID: 22af9202f649bae4005453925d352410f2ce8a1839d80d9fa17b8c3f51ffd70d
Opcode Fuzzy Hash: 69d2096ee618c6d0f7d258b321201578a07b81345731d6d3a9d57186968f047d
Instruction Fuzzy Hash: 43918F30600546AAEB58EFA0C481FEEFBB5BF05300F54852DE94EA7152DF30699ADBD0

Function 00093093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000930DC
CoUninitialize.OLE32(?,00000000), ref: 00093181
UnregisterHotKey.USER32(?), ref: 000932A9
DestroyWindow.USER32(?), ref: 00105079
FreeLibrary.KERNEL32(?), ref: 001050F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00105125

Strings

close all, xrefs: 000930D7

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f2012232cf41af4d6b829b80beb71bbbd409c1b3bf42d28c1e4d625bef4f2879
Instruction ID: 7a7360670fd25c9714347b85d03c5f671efc6c3bb037b863bb7187ac3d95c762
Opcode Fuzzy Hash: f2012232cf41af4d6b829b80beb71bbbd409c1b3bf42d28c1e4d625bef4f2879
Instruction Fuzzy Hash: 3D913A306002029FCB19EF64D995FA9F3B5FF04304F5582A9E50AA72A2DB30AE56DF50

Function 000ACB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 000ACC15

Part of subcall function 000ACCCD: GetClientRect.USER32(?,?), ref: 000ACCF6
Part of subcall function 000ACCCD: GetWindowRect.USER32(?,?), ref: 000ACD37
Part of subcall function 000ACCCD: ScreenToClient.USER32(?,?), ref: 000ACD5F

GetDC.USER32 ref: 0010D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0010D14A
SelectObject.GDI32(00000000,00000000), ref: 0010D158
SelectObject.GDI32(00000000,00000000), ref: 0010D16D
ReleaseDC.USER32(?,00000000), ref: 0010D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0010D200

Strings

U, xrefs: 0010D0D5

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b1e680b5168bfbe0e90c5a180856ab803c8b8d12e29d80a739634d691dee83a9
Instruction ID: e1752caa82855537d90d2a40fe074dbef518315630d92ca831a09ac24b2d9a54
Opcode Fuzzy Hash: b1e680b5168bfbe0e90c5a180856ab803c8b8d12e29d80a739634d691dee83a9
Instruction Fuzzy Hash: 0371D430400209DFDF259FA4D881EEA7BB5FF49320F144269FD955A6E6CB718881DF60

Function 000E45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000E45FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000E462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 000E466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000E4682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000E468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 000E46BF
InternetCloseHandle.WININET(00000000), ref: 000E4706

Part of subcall function 000E5052: GetLastError.KERNEL32(?,?,000E43CC,00000000,00000000,00000001), ref: 000E5067

Strings

, xrefs: 000E46B8

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 43da02c54f6a1b8a635cff32a0d9077c17c0444ce9703d0c2954212fbd9eb1f7
Instruction ID: f50b0a3d6de49173efe186570a3d66acf48a67a3be5e509843e28ce78f7692e1
Opcode Fuzzy Hash: 43da02c54f6a1b8a635cff32a0d9077c17c0444ce9703d0c2954212fbd9eb1f7
Instruction Fuzzy Hash: 07417DB1501645BFEB169F51DC89FFB77ACFF09358F008016FA05AA181E7B09A448BA5

Function 000EB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0012DC00), ref: 000EB715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0012DC00), ref: 000EB749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 000EB8C1
SysFreeString.OLEAUT32(?), ref: 000EB8EB

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: d90d80ad3d88e9aa6a9e272bda63f8a6d2afdc696e25c37f0aa31c6d03739aaf
Instruction ID: 675e15f06e31bceb8e55cd476b8154491bdb36d5f35123c8edf242a782b1f4ff
Opcode Fuzzy Hash: d90d80ad3d88e9aa6a9e272bda63f8a6d2afdc696e25c37f0aa31c6d03739aaf
Instruction Fuzzy Hash: 35F13971A00209EFDF14DF95C988EAEB7B9FF89311F148469F905AB251DB31AE41CB90

Function 000F24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000F24F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000F2688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000F26AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000F26EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000F270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000F286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 000F28A1
CloseHandle.KERNEL32(?), ref: 000F28D0
CloseHandle.KERNEL32(?), ref: 000F2947

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 53e356877003edadfd49fa1f1e5c4f43a22774603f1fb3ecb23c1ef374ae1fd8
Instruction ID: 5072a86408c4781e48dd78fbd33869ed71946736a7b5a6cf4be0b5a1807135bd
Opcode Fuzzy Hash: 53e356877003edadfd49fa1f1e5c4f43a22774603f1fb3ecb23c1ef374ae1fd8
Instruction Fuzzy Hash: 3DD1BC31604301DFCB14EF64C891AAEBBE1BF85310F14896DF9999B6A2DB31EC41DB52

Function 000FB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 000FB3F4

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 3b319cdc41dc206bcaf67b6b5a721a867cd7a994c0ee4819cd56344c6bc45ced
Instruction ID: 44d6938be21f9f02e4c2c08c763dd4ec67de0f94df2915bff6e60df3b8f56580
Opcode Fuzzy Hash: 3b319cdc41dc206bcaf67b6b5a721a867cd7a994c0ee4819cd56344c6bc45ced
Instruction Fuzzy Hash: 2F51BF3164020DBAEF349F28CD85BBD3BA5AB05714F284111F724E6DE2C771EA80EE50

Function 000AA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0010DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0010DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0010DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0010DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0010DB95
DestroyCursor.USER32(00000000), ref: 0010DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0010DBBD
DestroyCursor.USER32(00000000), ref: 0010DBC8

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend
String ID:
API String ID: 3992029641-0
Opcode ID: 4a17b2154c371914fe44273f0476692141cd528f7e3492ff4aeb349556099607
Instruction ID: 498787ef3cdd37d744fc3f50e1df451c5b0cd8f65181da2b679069db54733853
Opcode Fuzzy Hash: 4a17b2154c371914fe44273f0476692141cd528f7e3492ff4aeb349556099607
Instruction Fuzzy Hash: 9C516770600308EFDB24DFA8DC81FAE77B9AB0A750F114619F9469B6D1DBB0AD80DB51

Function 000D7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000D6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000D5FA6,?), ref: 000D6ED8

Part of subcall function 000D6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000D5FA6,?), ref: 000D6EF1

Part of subcall function 000D72CB: GetFileAttributesW.KERNEL32(?,000D6019), ref: 000D72CC

lstrcmpiW.KERNEL32(?,?), ref: 000D75CA
_wcscmp.LIBCMT ref: 000D75E2
MoveFileW.KERNEL32(?,?), ref: 000D75FB

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 373b21a7392432bd6023a168cd0575ad4cf77e959ccb8e26d6616cfc3a9eda4d
Instruction ID: 3ebdad68420a7853a1a43fef577dd9453ff673a0ea6bd31e798fdbbf08d0c458
Opcode Fuzzy Hash: 373b21a7392432bd6023a168cd0575ad4cf77e959ccb8e26d6616cfc3a9eda4d
Instruction Fuzzy Hash: E15120B29093199ADF64EB94D8419DE73BC9F08310B5045ABF609E3542EB74D7C9CB70

Function 000AEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0010DAD1,00000004,00000000,00000000), ref: 000AEAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0010DAD1,00000004,00000000,00000000), ref: 000AEB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0010DAD1,00000004,00000000,00000000), ref: 0010DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0010DAD1,00000004,00000000,00000000), ref: 0010DCF2

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e6b11c2df7ab037e5354570dd97ead232abb102302bdfef6cef0af0a0638ffc2
Instruction ID: 48a1bc36cde129ef45cc9f0ce5f648c4def348ad5c8fc6469a45eadb7d4222c7
Opcode Fuzzy Hash: e6b11c2df7ab037e5354570dd97ead232abb102302bdfef6cef0af0a0638ffc2
Instruction Fuzzy Hash: 2B410B712252C0EAD77997A8DE8DB7B7AD6BB53305F19440DE087469E1C7B07880D731

Function 000CB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C), ref: 000CB26C
RtlAllocateHeap.KERNEL32(00000000), ref: 000CB273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 000CB288
GetCurrentProcess.KERNEL32(?,00000000), ref: 000CB290
DuplicateHandle.KERNEL32(00000000), ref: 000CB293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 000CB2A3
GetCurrentProcess.KERNEL32(?,00000000), ref: 000CB2AB
DuplicateHandle.KERNEL32(00000000), ref: 000CB2AE
CreateThread.KERNEL32(00000000,00000000,000CB2D4,00000000,00000000,00000000), ref: 000CB2C8

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 0006c7c6ca677de05a3460236338f30618aa924aec00af07659df685596d40b5
Instruction ID: 3824fc73e043f8474659228c4bf38bba7eaf8d32827bcee62a74da3d287f6513
Opcode Fuzzy Hash: 0006c7c6ca677de05a3460236338f30618aa924aec00af07659df685596d40b5
Instruction Fuzzy Hash: 8F01CDB5240304BFE710AFA5ED4DFAB7BACEB88711F018411FA15DB6A1CAB49840CB61

Function 000EC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 000EC876, 000EC887
Not an Object type, xrefs: 000EC49E

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: fd70c6b25e675308473b28adb94e2b74ed9a9bddebc804d20375711a4ad80232
Instruction ID: 07c0e14382ffbc60b6f8effb5fc0275b560ccadd32ae50f15fb8bb130d602b7a
Opcode Fuzzy Hash: fd70c6b25e675308473b28adb94e2b74ed9a9bddebc804d20375711a4ad80232
Instruction Fuzzy Hash: 6DE1E171A00259AFEF14DFA9C981EEEB7F5EB48310F148029F945BB281D771AD42CB90

Function 000EBB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000EBB5C
VariantInit.OLEAUT32(?), ref: 000EBC2D
VariantInit.OLEAUT32(?), ref: 000EBD2E
VariantClear.OLEAUT32(?), ref: 000EBD38
VariantClear.OLEAUT32(?), ref: 000EBD99

Strings

Null Object assignment in FOR..IN loop, xrefs: 000EBBBD, 000EBCEB, 000EBDA7
Incorrect Object type in FOR..IN loop, xrefs: 000EBD11

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: a0e9c614adaef3911e7267525aa094be17fcd471c9a5b751feaa132ba211dea0
Instruction ID: 14af4f03f012aa355ba8950a15ccfea70f4dc78d0fb8162f62e3f3957d4311e4
Opcode Fuzzy Hash: a0e9c614adaef3911e7267525aa094be17fcd471c9a5b751feaa132ba211dea0
Instruction Fuzzy Hash: 2E918B71A04259AFCB24CFA6CC44FEFBBB8EF85710F10815AE515BB281DB709944CBA0

Function 000F9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 000F9B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 000F9B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 000F9B47
_wcscat.LIBCMT ref: 000F9BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 000F9BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 000F9BE7

Strings

SysListView32, xrefs: 000F9AEB

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 86ab1cd4e2bb0d0236c4a0b99baf5eb5948f93efd824cd30c68813009c1e3fb5
Instruction ID: 8359625a3ee3bcf262a8a67e4bebf5e92f178acd9c378b8e9357601e3e7a307a
Opcode Fuzzy Hash: 86ab1cd4e2bb0d0236c4a0b99baf5eb5948f93efd824cd30c68813009c1e3fb5
Instruction Fuzzy Hash: F6419D71A0030CABDB219FA4DC85BEE77E8EF08350F10442AF649A7692D7B19D84DB60

Function 000F172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 000D6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 000D6554
Part of subcall function 000D6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 000D6564
Part of subcall function 000D6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 000D65F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 000F179A
GetLastError.KERNEL32 ref: 000F17AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 000F17D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 000F1855
GetLastError.KERNEL32(00000000), ref: 000F1860
CloseHandle.KERNEL32(00000000), ref: 000F1895

Strings

SeDebugPrivilege, xrefs: 000F17B8

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f611f2486bd158c5af0cf8b5a6cacdd4277a09ae3eea9a2051df283ab7041ce7
Instruction ID: 619d300c08e46bb43b9553dfa43715c1fc549fe16187759e4ec9c895e2d0d387
Opcode Fuzzy Hash: f611f2486bd158c5af0cf8b5a6cacdd4277a09ae3eea9a2051df283ab7041ce7
Instruction Fuzzy Hash: 9241CC71600205AFDB09EF98C995FFEB7A2AF44310F088069FA069B383DB75A941DB51

Function 000D5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 000D58B8

Strings

warning, xrefs: 000D58A1
question, xrefs: 000D5871
blank, xrefs: 000D583A
stop, xrefs: 000D5889
info, xrefs: 000D5859

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 56289f9aab745dc6b4b1a33c054f248f19d74ee023e93f8f97d168ee35a9a6c3
Instruction ID: 3ca686ebfdcb3f6e9ebb34e976634e8dc4d4e12b4641e51ecc3e0eeeeff11fa8
Opcode Fuzzy Hash: 56289f9aab745dc6b4b1a33c054f248f19d74ee023e93f8f97d168ee35a9a6c3
Instruction Fuzzy Hash: 6511D531709743BEEB155A54AC82DEE67EC9F15325B20003BF915B67C2EFA0AA405274

Function 000DA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 000DA806

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 0cc75df9067ed9b36f10e7d01a3cc438e0eb22fb3b8768b22771115b6cbe6cb7
Instruction ID: 3e0593999f37258446526f98a65c03aecb48bbe0db3ec95d00defa339c3a6a6f
Opcode Fuzzy Hash: 0cc75df9067ed9b36f10e7d01a3cc438e0eb22fb3b8768b22771115b6cbe6cb7
Instruction Fuzzy Hash: 3BC16A75A0431A9FDB14CF98D591BEEB7F4EF0A311F20806AE605E7341D734AA41CBA2

Function 000D6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 000D6B63
LoadStringW.USER32(00000000), ref: 000D6B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 000D6B80
LoadStringW.USER32(00000000), ref: 000D6B87
_wprintf.LIBCMT ref: 000D6BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000D6BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 000D6BA8

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 4bd343f195aa52fa0e8f1271ea8a9eace30b6fff883b7b38201dd869555202b9
Instruction ID: 02a4f69b077bc4278603e2a90c3cdca6b63281ffc95713c2b98f20b074113ebe
Opcode Fuzzy Hash: 4bd343f195aa52fa0e8f1271ea8a9eace30b6fff883b7b38201dd869555202b9
Instruction Fuzzy Hash: 070136F65002587FE751AB94EE89EF7776CD704304F008496B746E2541EA749EC48F71

Function 000F2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000F2BB5,?,?), ref: 000F3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000F2BF6

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 01c9967bb73e530360b9b1a9b4cc3ab1a6ef2def482aa36448f71a81d3e98652
Instruction ID: 9a60816cdfd544b868431c69f0c42660fa8f645a6775bf6e8a64946d2dfa436c
Opcode Fuzzy Hash: 01c9967bb73e530360b9b1a9b4cc3ab1a6ef2def482aa36448f71a81d3e98652
Instruction Fuzzy Hash: CC917C71204205AFDB14EF54C891FAEB7E5FF48310F04881DFA969B692DB34E945EB42

Function 000E95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 000E9691
WSAGetLastError.WSOCK32(00000000), ref: 000E969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 000E96C8
6FE41EB0.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000E96E9
WSAGetLastError.WSOCK32(00000000), ref: 000E96F8
htons.WSOCK32(?,?,?,00000000,?), ref: 000E97AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0012DC00), ref: 000E9765

Part of subcall function 000CD2FF: _strlen.LIBCMT ref: 000CD309

_strlen.LIBCMT ref: 000E9800

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: 030d467d0c6770d48afa8fde7befc493f8f442294c837d8c9d86091b4bee07ff
Instruction ID: f3fc82438fad215ebc7e7014c78e4d86b6fb4e0ceffc41d3ae74004afda414ff
Opcode Fuzzy Hash: 030d467d0c6770d48afa8fde7befc493f8f442294c837d8c9d86091b4bee07ff
Instruction Fuzzy Hash: 5E81DF31504240AFD724EFA5DC85EAFB7E8EF85714F10462DF555AB2A2EB30D904CBA2

Function 000BA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 000BA991

Part of subcall function 000B7D7C: __FF_MSGBANNER.LIBCMT ref: 000B7D91
Part of subcall function 000B7D7C: __NMSG_WRITE.LIBCMT ref: 000B7D98
Part of subcall function 000B7D7C: __malloc_crt.LIBCMT ref: 000B7DB8

__lock.LIBCMT ref: 000BA9A4
__lock.LIBCMT ref: 000BA9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00146DE0,00000018,000C5E7B,?,00000000,00000109), ref: 000BAA0C
RtlEnterCriticalSection.KERNEL32(8000000C,00146DE0,00000018,000C5E7B,?,00000000,00000109), ref: 000BAA29
RtlLeaveCriticalSection.KERNEL32(8000000C), ref: 000BAA39

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 117e10204173a1b85d15ead328da6f179dec54f3b93e15d037093cca3ddd5c4f
Instruction ID: 89edffd44d718641459f3ba721e0fb3c9003d08cbb9768b21e0409742adae39a
Opcode Fuzzy Hash: 117e10204173a1b85d15ead328da6f179dec54f3b93e15d037093cca3ddd5c4f
Instruction Fuzzy Hash: E7412A71B007059BEB249FA8DA447DCB7F0BF06335F118219E429AB6D2D7749940CBA3

Function 000F8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000F8EE4
GetDC.USER32(00000000), ref: 000F8EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000F8EF7
ReleaseDC.USER32(00000000,00000000), ref: 000F8F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 000F8F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000F8F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,000FBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 000F8F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000F8FAA

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 3efb39feaa959b5c9021ca008b7ac39074c64ad19d88fffd02d45328e4db6d11
Instruction ID: 41ae7975238891a1b07bb16fa31c73334e46703e7f26d9b40d19d5de85286bfa
Opcode Fuzzy Hash: 3efb39feaa959b5c9021ca008b7ac39074c64ad19d88fffd02d45328e4db6d11
Instruction Fuzzy Hash: B7317C72200614BFEB148F50DD4AFEA3BAEEF49715F048065FE099A191DAB59881CB70

Function 000E16DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0009936C: __swprintf.LIBCMT ref: 000993AB
Part of subcall function 0009936C: __itow.LIBCMT ref: 000993DF

Part of subcall function 000AC6F4: _wcscpy.LIBCMT ref: 000AC717

_wcstok.LIBCMT ref: 000E184E
_wcscpy.LIBCMT ref: 000E18DD
_memset.LIBCMT ref: 000E1910

Strings

X, xrefs: 000E1948

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 6328985142c2a9a4ce0e5e61db973cdced5f146bf7850c600f9e10e9d4d7c848
Instruction ID: 60249524e22f5e11f3ead041e022f650f425086c6e33b33e69e9fa4d26d796d5
Opcode Fuzzy Hash: 6328985142c2a9a4ce0e5e61db973cdced5f146bf7850c600f9e10e9d4d7c848
Instruction Fuzzy Hash: 21C16E315083409FCB64EF64C991AEEB7E4BF85350F04492DF899A72A2DB30ED45DB82

Function 000AAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed5f56f22370b9ff967003b206cde4df6f0f807393440fd2421e00f8ff39743
Instruction ID: 60bf7db90c0393c86dc7989c1b50b688645d50819b3c9f412e029aa984d07f47
Opcode Fuzzy Hash: bed5f56f22370b9ff967003b206cde4df6f0f807393440fd2421e00f8ff39743
Instruction Fuzzy Hash: 70717EB0A00109EFCB18CFD8CC45AEEBBB4FF8A310F148159F955AA291D7349A41CF61

Function 000F2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000F225A
_memset.LIBCMT ref: 000F2323
ShellExecuteExW.SHELL32(?), ref: 000F2368

Part of subcall function 0009936C: __swprintf.LIBCMT ref: 000993AB
Part of subcall function 0009936C: __itow.LIBCMT ref: 000993DF

Part of subcall function 000AC6F4: _wcscpy.LIBCMT ref: 000AC717

CloseHandle.KERNEL32(00000000), ref: 000F242F
FreeLibrary.KERNEL32(00000000), ref: 000F243E

Strings

@, xrefs: 000F2334

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 3224351496021bb6135765df18ea503daa3a9de08a21e952942ea58e6cecd4c7
Instruction ID: b6c6b124c2158b24558a795a04f862a48cd23420dba4782358b245cbef11717e
Opcode Fuzzy Hash: 3224351496021bb6135765df18ea503daa3a9de08a21e952942ea58e6cecd4c7
Instruction Fuzzy Hash: AC718EB0A006199FCF04EFA8D8819EEB7F5FF48310F108459E955AB752DB35AE40DB90

Function 000D3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 000D3DE7
GetKeyboardState.USER32(?), ref: 000D3DFC
SetKeyboardState.USER32(?), ref: 000D3E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 000D3E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 000D3EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 000D3EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 000D3F13

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f3c76f0e0dc4c3b6ea4e5d3d65041d4b4b15ca93ce6185a8b6291ff36455c5cf
Instruction ID: 23f4865cc26225027ad2f7d2f4c234d67af64d2317bb1f9117491d5a1f2092c6
Opcode Fuzzy Hash: f3c76f0e0dc4c3b6ea4e5d3d65041d4b4b15ca93ce6185a8b6291ff36455c5cf
Instruction Fuzzy Hash: AC51A1A0A047D53DFB7647248C45BBA7FE95B06304F08858AE1D5469C3D2A8AEC4DB72

Function 000D3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 000D3C02
GetKeyboardState.USER32(?), ref: 000D3C17
SetKeyboardState.USER32(?), ref: 000D3C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 000D3CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 000D3CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000D3D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000D3D26

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 08e4378fcb234c3327d9b53b94a42e5351755ca7b41eba8d6d236af96adc8196
Instruction ID: 983d5d9c406eca07c42a547180205fa10a6217ca26c6117d763ef8548d879e29
Opcode Fuzzy Hash: 08e4378fcb234c3327d9b53b94a42e5351755ca7b41eba8d6d236af96adc8196
Instruction Fuzzy Hash: 245117A05047D53DFB3683348C45BBABFE96F06300F08848AE1D556AC3D2A5EE84DB72

Function 000D7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 000D7DBE
_wcsncpy.LIBCMT ref: 000D7DF3
_wcsncpy.LIBCMT ref: 000D7E25
_wcsncpy.LIBCMT ref: 000D7E58
_wcsncpy.LIBCMT ref: 000D7E9A
_wcsncpy.LIBCMT ref: 000D7ED4
_wcsncpy.LIBCMT ref: 000D7F03

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: b494ff0e51e7057635d01f828b881ae06a4c59908e645b416a4c1ae8d89f110c
Instruction ID: e03ce9aadc512ea77eb6fbeef3398a5a5855476ec1f998e33a4949c0824e37f4
Opcode Fuzzy Hash: b494ff0e51e7057635d01f828b881ae06a4c59908e645b416a4c1ae8d89f110c
Instruction Fuzzy Hash: 4E417066C10314B6CB20EBF4C84A9CFB7AC9F45710F548976E508E3223FA34E61483A9

Function 000F9F8A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000F9FA3
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000FA04A
IsMenu.USER32(?), ref: 000FA062
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000FA0AA
DrawMenuBar.USER32 ref: 000FA0C3

Strings

0, xrefs: 000F9F9C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: cca3dbc18260242481498dbe1eb91f9cb54434e75594293243af6c26229a5553
Instruction ID: e50f317d5430c7dd58f65298c08c9abb53ba9e175d3f783170e0f5524716ac6b
Opcode Fuzzy Hash: cca3dbc18260242481498dbe1eb91f9cb54434e75594293243af6c26229a5553
Instruction Fuzzy Hash: BE4148B5A00209EFDB60DF60E884EEABBF5FB09324F048529EA1997650DB30AD50DF51

Function 000F3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 000F3DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000F3DCB
FreeLibrary.KERNEL32(00000000), ref: 000F3E80

Part of subcall function 000F3D72: RegCloseKey.ADVAPI32(?), ref: 000F3DE8
Part of subcall function 000F3D72: FreeLibrary.KERNEL32(?), ref: 000F3E3A
Part of subcall function 000F3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 000F3E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 000F3E25

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 14e01bda7c0eeadf4a00ee36b862951fb49c678c8a2e4f8290dc1c3d679f186f
Instruction ID: b85f1701d0c3c1067d56d4141655c59f293c6a12765885517059ac2dbe12199e
Opcode Fuzzy Hash: 14e01bda7c0eeadf4a00ee36b862951fb49c678c8a2e4f8290dc1c3d679f186f
Instruction Fuzzy Hash: 40312BB190110DBFDB14DB90ED85AFFB7BCEF08310F00416AE612A2590D6749F88ABA0

Function 000D5F85 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000D6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000D5FA6,?), ref: 000D6ED8

Part of subcall function 000D6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000D5FA6,?), ref: 000D6EF1

lstrcmpiW.KERNEL32(?,?), ref: 000D5FC9
_wcscmp.LIBCMT ref: 000D5FE7
MoveFileW.KERNEL32(?,?), ref: 000D6000

Part of subcall function 000D6318: GetFileAttributesW.KERNEL32(?,?,?,?,000D60C3), ref: 000D6369
Part of subcall function 000D6318: GetLastError.KERNEL32(?,?,?,000D60C3), ref: 000D6374
Part of subcall function 000D6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000D60C3), ref: 000D6388

_wcscat.LIBCMT ref: 000D6042
SHFileOperationW.SHELL32 ref: 000D60AA

Strings

\*.*, xrefs: 000D603C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: File$FullNamePath$AttributesCreateDirectoryErrorLastMoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1724171360-1173974218
Opcode ID: 1c38c83505587a39bebe66349b130343643a407dd7324be7762f5784272dca28
Instruction ID: 74e713cff2d158da531d51b990f5543b307089cf8e3e824bb42ad4a7f752206a
Opcode Fuzzy Hash: 1c38c83505587a39bebe66349b130343643a407dd7324be7762f5784272dca28
Instruction Fuzzy Hash: 4F31FB72C043199ADF55DBA4D849FEE77B9AF0C304F0401AAA809E3253EA75D789CB61

Function 000F8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 000F8FE7
GetWindowLongW.USER32(00E09F10,000000F0), ref: 000F901A
GetWindowLongW.USER32(00E09F10,000000F0), ref: 000F904F
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 000F9081
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 000F90AB
GetWindowLongW.USER32(?,000000F0), ref: 000F90BC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000F90D6

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 42bd3744ef8bec42efa7cb95ef0ab72b95e9fb5871ac4c24d2e71250eedcdd68
Instruction ID: 54a69d7eaa680a7245293e86e6a2b7c1308fd6f0d53cd35cd4f346329711bf32
Opcode Fuzzy Hash: 42bd3744ef8bec42efa7cb95ef0ab72b95e9fb5871ac4c24d2e71250eedcdd68
Instruction Fuzzy Hash: 0C312634600219EFDB218F58DC89FA437E6FB4A714F144164F6198FAB2CFB1A880EB41

Function 000D08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000D08F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000D0918
SysAllocString.OLEAUT32(00000000), ref: 000D091B
SysAllocString.OLEAUT32(?), ref: 000D0939
SysFreeString.OLEAUT32(?), ref: 000D0942
StringFromGUID2.OLE32(?,?,00000028), ref: 000D0967
SysAllocString.OLEAUT32(?), ref: 000D0975

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d1e3cd45408bde1036eb9bfba8301f4153b919ea5ee1efd727621406ba3f30f7
Instruction ID: 17817a835a89a918f08836dda25226dc5f13f5ca5d55cdfbc1aca4f080557351
Opcode Fuzzy Hash: d1e3cd45408bde1036eb9bfba8301f4153b919ea5ee1efd727621406ba3f30f7
Instruction Fuzzy Hash: 75215676601319AFDB109FB8DC84EFBB3ECEB09360B408126F959DB651D670EC458764

Function 000D2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 000D2485
__wcsnicmp.LIBCMT ref: 000D24A6
__wcsnicmp.LIBCMT ref: 000D24C0

Strings

#OnAutoItStartRegister, xrefs: 000D24BA
#notrayicon, xrefs: 000D247D
#requireadmin, xrefs: 000D24A0

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: ad4514d3e91caf20fbcc1b4a713d29547f779c8cdd5cb0c50efcb3b89cde0ab1
Instruction ID: 9db6b9c8ae932c1ea31f8e816fcb1f86cb1cb2e3083d8522ad277c3457c1a7d2
Opcode Fuzzy Hash: ad4514d3e91caf20fbcc1b4a713d29547f779c8cdd5cb0c50efcb3b89cde0ab1
Instruction Fuzzy Hash: D3212831104B1166D231A674EC12FFB73D8EF75300F50402BF84597286EB65999283B5

Function 000D0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000D09CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000D09F1
SysAllocString.OLEAUT32(00000000), ref: 000D09F4
SysAllocString.OLEAUT32 ref: 000D0A15
SysFreeString.OLEAUT32 ref: 000D0A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 000D0A38
SysAllocString.OLEAUT32(?), ref: 000D0A46

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f736050a703908209856c53d41f3a7bbffb999a9377645d7fb6b23f5a65983f7
Instruction ID: 521e5523f628d8d759945ad76326903b347767405a46e8d827687a3a7c85fa4a
Opcode Fuzzy Hash: f736050a703908209856c53d41f3a7bbffb999a9377645d7fb6b23f5a65983f7
Instruction Fuzzy Hash: EF216275600304AFDB149BECDD89DAAB7ECEF09360B008126F90DCB661D670EC818765

Function 000FA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000AD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000AD1BA
Part of subcall function 000AD17C: GetStockObject.GDI32(00000011), ref: 000AD1CE
Part of subcall function 000AD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 000AD1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 000FA32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 000FA33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 000FA345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 000FA354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 000FA360

Strings

Msctls_Progress32, xrefs: 000FA2FE

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 56e3dc3945c55be039988f58599b9f7928f6eb6c04ba9b670fc96d60ee0a3c14
Instruction ID: 7a992d3c46f9ef48845f2ec3164b887ab72c92f40d7458bdac9eca4d8bda57be
Opcode Fuzzy Hash: 56e3dc3945c55be039988f58599b9f7928f6eb6c04ba9b670fc96d60ee0a3c14
Instruction Fuzzy Hash: 43118EB125021DBEEF155FA0CC85EEB7F6DEF09798F014115BA08A60A0C6729C21DBA4

Function 000B3FAD Relevance: 10.5, APIs: 7, Instructions: 47threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 000B3FAE

Part of subcall function 000B7A25: GetLastError.KERNEL32(00000001,000AF507,000B7C13,000B39E3,?,?,000AF507,?,0000000E), ref: 000B7A27
Part of subcall function 000B7A25: __calloc_crt.LIBCMT ref: 000B7A48
Part of subcall function 000B7A25: GetCurrentThreadId.KERNEL32 ref: 000B7A71
Part of subcall function 000B7A25: SetLastError.KERNEL32(00000000,000AF507,?,0000000E), ref: 000B7A89

CloseHandle.KERNEL32(?,?,000B3F8D), ref: 000B3FC2
__freeptd.LIBCMT ref: 000B3FC9
RtlExitUserThread.KERNEL32(00000000,?,000B3F8D), ref: 000B3FD1
GetLastError.KERNEL32(?,?,000B3F8D), ref: 000B4001
RtlExitUserThread.KERNEL32(00000000,?,?,000B3F8D), ref: 000B4008
__freefls@4.LIBCMT ref: 000B4024

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit
String ID:
API String ID: 1445074172-0
Opcode ID: 897003f5b6b08bb378c021bf48c45efbf221fcdef81befe4495684d290813c3d
Instruction ID: 04de1a2fc81db1fe5832e777379fe1d2ae3d38d745930695075a8e2b8ed90c84
Opcode Fuzzy Hash: 897003f5b6b08bb378c021bf48c45efbf221fcdef81befe4495684d290813c3d
Instruction Fuzzy Hash: B501DF74908706ABC718BB74E9095E97BE4FF443107248468F52C8B683EF34D941C682

Function 000ACCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 000ACCF6
GetWindowRect.USER32(?,?), ref: 000ACD37
ScreenToClient.USER32(?,?), ref: 000ACD5F
GetClientRect.USER32(?,?), ref: 000ACE8C
GetWindowRect.USER32(?,?), ref: 000ACEA5

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 52b147b0b22cb2baf3335b81196a2f95bec9993030a76192ba35eafa6289ab28
Instruction ID: bb8b88b3dc2350f9ed65a94006bb0bfd1fc38431606f9820ffc4f1668f0849cb
Opcode Fuzzy Hash: 52b147b0b22cb2baf3335b81196a2f95bec9993030a76192ba35eafa6289ab28
Instruction Fuzzy Hash: 70B14B79A00249DBDF14CFA9C580BEDBBF1FF09300F159529EC99AB254DB70A950CB64

Function 000F1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000F1C18
Process32FirstW.KERNEL32(00000000,?), ref: 000F1C26
__wsplitpath.LIBCMT ref: 000F1C54

Part of subcall function 000B1DFC: __wsplitpath_helper.LIBCMT ref: 000B1E3C

_wcscat.LIBCMT ref: 000F1C69
Process32NextW.KERNEL32(00000000,?), ref: 000F1CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 000F1CF1

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 661a542cc1d2bd97ffed946f6f1c595df768539b887aa1ea772a277daeafeb92
Instruction ID: c157b2bb972e1e007be1f75ee290cd3aab3ac57cbb851388b06b6f67eaa5193b
Opcode Fuzzy Hash: 661a542cc1d2bd97ffed946f6f1c595df768539b887aa1ea772a277daeafeb92
Instruction Fuzzy Hash: 79515D71508344AFD720EF64D885EEBB7E8EF88754F00492EF58597252EB70DA04CBA2

Function 000F2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000F2BB5,?,?), ref: 000F3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000F30AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000F30EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 000F3112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000F313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 000F317E
RegCloseKey.ADVAPI32(00000000), ref: 000F318B

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 9d58942047c483480fd27b925e27899f7e9df7789df4245988783359dac38f58
Instruction ID: af2dacb47d61ccdc04133cd7d9da6c169966262b1dcee3a07ab7b42be5665af3
Opcode Fuzzy Hash: 9d58942047c483480fd27b925e27899f7e9df7789df4245988783359dac38f58
Instruction Fuzzy Hash: A1514A31508304AFDB14EF64C895EAEB7E9FF89310F04491DF655872A2DB31EA05EB52

Function 000F84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 000F8540
GetMenuItemCount.USER32(00000000), ref: 000F8577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 000F859F
GetMenuItemID.USER32(?,?), ref: 000F860E
GetSubMenu.USER32(?,?), ref: 000F861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 000F866D

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 97918c7cb1a1f8e4f9b602b2c90ad9fc2e5842b0714266539e852a88af76ed32
Instruction ID: 19ddf3d94459e94d1338df77fd4fad1f346dfce2f316c9b55377898b3f1b3919
Opcode Fuzzy Hash: 97918c7cb1a1f8e4f9b602b2c90ad9fc2e5842b0714266539e852a88af76ed32
Instruction Fuzzy Hash: 6E51B031A00619AFCF11EFA4C945AEEB7F5EF48710F108469EA05BB751DB30AE419B90

Function 000D4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D4B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000D4B5B
IsMenu.USER32(00000000), ref: 000D4B7B
CreatePopupMenu.USER32 ref: 000D4BAF
GetMenuItemCount.USER32(000000FF), ref: 000D4C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 000D4C3E

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 5367450193da68885d7ec34c74f2eeaf865550400fd6aa145867d14ba17658f2
Instruction ID: fd00ec4dae942e64a527313e006581befc3917b32163f8985f9e07367d6df6ba
Opcode Fuzzy Hash: 5367450193da68885d7ec34c74f2eeaf865550400fd6aa145867d14ba17658f2
Instruction Fuzzy Hash: C151DD70601309EBCFA4CF68D988BEDBBF5AF54318F14815BE4159A391E3B19944CB21

Function 000E8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0012DC00), ref: 000E8E7C
WSAGetLastError.WSOCK32(00000000), ref: 000E8E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 000E8EAD
6FE41E40.WSOCK32(?,?,00000000,00000000), ref: 000E8EC5
_strlen.LIBCMT ref: 000E8EF7
WSAGetLastError.WSOCK32(00000000), ref: 000E8F6A

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 0d284c8d87171b2391ea21b8c58fb92813d8ba3116811661446c581439923868
Instruction ID: 5ab46f17226150189d88531509eb96c132f399a64fd864aaec9102eb21d49385
Opcode Fuzzy Hash: 0d284c8d87171b2391ea21b8c58fb92813d8ba3116811661446c581439923868
Instruction Fuzzy Hash: 3941E871500244AFCB14EBA5DD95EEEB7B9EF58314F108169F11AA72D2DF309E40CB60

Function 000AABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

BeginPaint.USER32(?,?,?), ref: 000AAC2A
GetWindowRect.USER32(?,?), ref: 000AAC8E
ScreenToClient.USER32(?,?), ref: 000AACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000AACBC
EndPaint.USER32(?,?,?,?,?), ref: 000AAD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0010E673

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: dcbe8aeb7632c0f1947fdae2d0ea265f681533033ee0c051a85e0531c08944ba
Instruction ID: d4b1120316423d45d06a7a8ec2f1e68c15a08570be365dfb87cf93855864255c
Opcode Fuzzy Hash: dcbe8aeb7632c0f1947fdae2d0ea265f681533033ee0c051a85e0531c08944ba
Instruction Fuzzy Hash: 8041A270204300AFD711DF64DC84FBB7BE8EB56321F144669F9A58B2E2C7719884DB62

Function 000FE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00151628,00000000,00151628,00000000,00000000,00151628,?,0010DC5D,00000000,?,00000000,00000000,00000000,?,0010DAD1,00000004), ref: 000FE40B
EnableWindow.USER32(?,00000000), ref: 000FE42F
ShowWindow.USER32(00151628,00000000), ref: 000FE48F
ShowWindow.USER32(?,00000004), ref: 000FE4A1
EnableWindow.USER32(?,00000001), ref: 000FE4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 000FE4E8

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4b9b1344b443e111ffad935f1d648cbed55556cac79db49a380e0e6f8f291da9
Instruction ID: 84408eba0187ee7acbe50441525eebdcb21fd691766779fc36a053a9fbf66fc5
Opcode Fuzzy Hash: 4b9b1344b443e111ffad935f1d648cbed55556cac79db49a380e0e6f8f291da9
Instruction Fuzzy Hash: EA416234601194EFDB65CF28D599BA47BE1BF05304F1881A9EB588F9B2C731B841EB51

Function 000D98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 000D98D1

Part of subcall function 000AF4EA: std::exception::exception.LIBCMT ref: 000AF51E
Part of subcall function 000AF4EA: __CxxThrowException@8.LIBCMT ref: 000AF533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 000D9908
RtlEnterCriticalSection.KERNEL32(?), ref: 000D9924
RtlLeaveCriticalSection.KERNEL32(?), ref: 000D999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 000D99B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 000D99D2

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 0c3672700c8d1fa1e47f31e712e68ac2b36576b7b2c18e2120a97576920de672
Instruction ID: 6b4cf8508edc9345e921e25c131c90d53ad11833977bc73048b9a0d18b8710bc
Opcode Fuzzy Hash: 0c3672700c8d1fa1e47f31e712e68ac2b36576b7b2c18e2120a97576920de672
Instruction Fuzzy Hash: 6D317031900205EBDB10EFA9DD85EEEB7B8FF45310B1480A9F905AB256D774DE50CBA0

Function 000E9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,000E77F4,?,?,00000000,00000001), ref: 000E9B53

Part of subcall function 000E6544: GetWindowRect.USER32(?,?), ref: 000E6557

GetDesktopWindow.USER32 ref: 000E9B7D
GetWindowRect.USER32(00000000), ref: 000E9B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 000E9BB6

Part of subcall function 000D7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000D7AD0

GetCursorPos.USER32(?), ref: 000E9BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000E9C44

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 2f2ebaa4907a33ff4c065ca056a1ae165f616ec8f2502ef49e06947cb2312c89
Instruction ID: 45ff870f9410318f06001867d0a15e7bf3ad185299843f8a574c2632b7cfd0d0
Opcode Fuzzy Hash: 2f2ebaa4907a33ff4c065ca056a1ae165f616ec8f2502ef49e06947cb2312c89
Instruction Fuzzy Hash: E031EF72104355AFC710DF19E949F9AB7EAFF88314F00091AF589E7282DB31EA44CB92

Function 000FEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 000AAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 000AAFE3
Part of subcall function 000AAF83: SelectObject.GDI32(?,00000000), ref: 000AAFF2
Part of subcall function 000AAF83: BeginPath.GDI32(?), ref: 000AB009
Part of subcall function 000AAF83: SelectObject.GDI32(?,00000000), ref: 000AB033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 000FEC20
LineTo.GDI32(00000000,00000003,?), ref: 000FEC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000FEC42
LineTo.GDI32(00000000,00000000,?), ref: 000FEC52
EndPath.GDI32(00000000), ref: 000FEC62
StrokePath.GDI32(00000000), ref: 000FEC72

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 8fb49b92d93baa50977e673b9a8c1c77cae6715ba02ac3a3f46605abdbe60eaa
Instruction ID: f7e02f0e2fe80e86812626fb5660f17ccce4aba82e03b87f8435f9baad065209
Opcode Fuzzy Hash: 8fb49b92d93baa50977e673b9a8c1c77cae6715ba02ac3a3f46605abdbe60eaa
Instruction Fuzzy Hash: 0511097200014DBFEB069F90ED88EEA7FADEB08350F048122BE0889560D7719D95DBA0

Function 000CE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000CE1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 000CE1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000CE1D8
ReleaseDC.USER32(00000000,00000000), ref: 000CE1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 000CE1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 000CE209

Part of subcall function 000C9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,000C9A05,00000000,00000000,?,000C9DDB), ref: 000CA53A

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: f76967a0336da61cdf04b6988cdc5dd232b0b43f61b5f435923e76483ef4e78e
Instruction ID: 460b5a38e53a7df438623d82a1220d780eebd8e09f9c3b4f6c6894f5b3528a9b
Opcode Fuzzy Hash: f76967a0336da61cdf04b6988cdc5dd232b0b43f61b5f435923e76483ef4e78e
Instruction Fuzzy Hash: 170184B5A00714BFEB109BA5DD45F9EBFB8EB48351F048066EE04A7290D6709C00CFA0

Function 000B7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 000B7B47

Part of subcall function 000B123A: __initp_misc_winsig.LIBCMT ref: 000B125E
Part of subcall function 000B123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 000B7F51
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 000B7F65
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 000B7F78
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 000B7F8B
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 000B7F9E
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 000B7FB1
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 000B7FC4
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 000B7FD7
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 000B7FEA
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 000B7FFD
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 000B8010
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 000B8023
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 000B8036
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 000B8049
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 000B805C
Part of subcall function 000B123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 000B806F

__mtinitlocks.LIBCMT ref: 000B7B4C

Part of subcall function 000B7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0014AC68,00000FA0,?,?,000B7B51,000B5E77,00146C70,00000014), ref: 000B7E41

__mtterm.LIBCMT ref: 000B7B55

Part of subcall function 000B7BBD: RtlDeleteCriticalSection.KERNEL32(00000000,00000000,?,?,000B7B5A,000B5E77,00146C70,00000014), ref: 000B7D3F
Part of subcall function 000B7BBD: _free.LIBCMT ref: 000B7D46
Part of subcall function 000B7BBD: RtlDeleteCriticalSection.KERNEL32(0014AC68,?,?,000B7B5A,000B5E77,00146C70,00000014), ref: 000B7D68

__calloc_crt.LIBCMT ref: 000B7B7A
GetCurrentThreadId.KERNEL32 ref: 000B7BA3

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 5af33cc2ccd19db97645cc6c48718ef1a6bdda86daf42e72f409d173a2879d93
Instruction ID: 7cf84c6d1624c1c3ebed024ee95e56e601808ddb8752924657eff0f30c917227
Opcode Fuzzy Hash: 5af33cc2ccd19db97645cc6c48718ef1a6bdda86daf42e72f409d173a2879d93
Instruction Fuzzy Hash: D5F0903214D71219E66977347C06FCA26C4DF82730B2106A9F86CC51E3FF2588415961

Function 000927EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0009281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00092825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00092830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0009283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00092843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0009284B

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 622db6befb7d044601b6a21a7d60ffa7fc3170abcb1f1e012cf84c84db4a670a
Instruction ID: dd052527b21ee66b2e6aafbbd0726a733aacfa7b2f0202d88f5b6978fe19faac
Opcode Fuzzy Hash: 622db6befb7d044601b6a21a7d60ffa7fc3170abcb1f1e012cf84c84db4a670a
Instruction Fuzzy Hash: 2B0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5

Function 000D9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: ac5d8db8ac66ffdcba607bedc6bb29471c034a33c9d1faeb8d207fb634ab2bfe
Instruction ID: 43092df8f67c514ad499b86b873e241525fe5643422589667ad232426e17fb26
Opcode Fuzzy Hash: ac5d8db8ac66ffdcba607bedc6bb29471c034a33c9d1faeb8d207fb634ab2bfe
Instruction Fuzzy Hash: 5201A433202322ABD7191B98FD48EEB77B9FF88701B44452AF503929A0DB749C40DBA1

Function 000D7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000D7C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000D7C1D
GetWindowThreadProcessId.USER32(?,?), ref: 000D7C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000D7C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000D7C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000D7C4C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 158714bdc42a575ddb5fc1e93d67e1df5a4a585ae85e4addf986216b2f948d09
Instruction ID: 5fcdb843c38950429a840e70655ce876831d2171bb015a93b602d30b90e08c19
Opcode Fuzzy Hash: 158714bdc42a575ddb5fc1e93d67e1df5a4a585ae85e4addf986216b2f948d09
Instruction Fuzzy Hash: 64F0BE72241158BFE7241B52AD0EEEF3FBCEFC6B11F004018FA01D1050E7A41A81C6B5

Function 000D9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 000D9A33
RtlEnterCriticalSection.KERNEL32(?,?,?,?,00105DEE,?,?,?,?,?,0009ED63), ref: 000D9A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00105DEE,?,?,?,?,?,0009ED63), ref: 000D9A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00105DEE,?,?,?,?,?,0009ED63), ref: 000D9A5E

Part of subcall function 000D93D1: CloseHandle.KERNEL32(?,?,000D9A6B,?,?,?,00105DEE,?,?,?,?,?,0009ED63), ref: 000D93DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 000D9A71
RtlLeaveCriticalSection.KERNEL32(?,?,?,?,00105DEE,?,?,?,?,?,0009ED63), ref: 000D9A78

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 29ac4c2414b929d8c425621fba940bbd329cb7da448645bd80f542d149d0a6c4
Instruction ID: 5a274b937c15f03f23ae1a48a76ab22bbe2111269d95593f6052382e21f8b165
Opcode Fuzzy Hash: 29ac4c2414b929d8c425621fba940bbd329cb7da448645bd80f542d149d0a6c4
Instruction Fuzzy Hash: C8F02733141311ABD3191BA8FE8CDEF7779FF84301B444022F503928A0CB749840DBA0

Function 00091CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 000AF4EA: std::exception::exception.LIBCMT ref: 000AF51E
Part of subcall function 000AF4EA: __CxxThrowException@8.LIBCMT ref: 000AF533

__swprintf.LIBCMT ref: 00091EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00091D49

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 1b06901103264e72f5612a4eedddc87871ee4b35ee3b960a0357003a903fb06f
Instruction ID: 70db553e2f3b359044299e0a699b328ae26a77d1383c74d6c243647e5803834e
Opcode Fuzzy Hash: 1b06901103264e72f5612a4eedddc87871ee4b35ee3b960a0357003a903fb06f
Instruction Fuzzy Hash: 86915E75608202AFCB24EF64C895CAEB7F4BF95700F04492DF885972A2DB71ED05DB92

Function 000EAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000EB006
CharUpperBuffW.USER32(?,?), ref: 000EB115
VariantClear.OLEAUT32(?), ref: 000EB298

Part of subcall function 000D9DC5: VariantInit.OLEAUT32(00000000), ref: 000D9E05
Part of subcall function 000D9DC5: VariantCopy.OLEAUT32(?,?), ref: 000D9E0E
Part of subcall function 000D9DC5: VariantClear.OLEAUT32(?), ref: 000D9E1A

Strings

AUTOIT.ERROR, xrefs: 000EB11B
Incorrect Parameter format, xrefs: 000EB03E, 000EB20B

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 365a3fd8858f37c8877f95afc3e3fa6c668b32eca500d0bcd8915eeb14494f30
Instruction ID: 342784b6b2dcd34c92d35c08a696bb43293704a509ff8984c6e2a94eecf354a5
Opcode Fuzzy Hash: 365a3fd8858f37c8877f95afc3e3fa6c668b32eca500d0bcd8915eeb14494f30
Instruction Fuzzy Hash: BA918C706083419FCB10DF65C4819AFB7E4EF89700F04886EF99AAB362DB31E905CB52

Function 000D5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000AC6F4: _wcscpy.LIBCMT ref: 000AC717

_memset.LIBCMT ref: 000D5438
GetMenuItemInfoW.USER32(?), ref: 000D5467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000D5513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 000D553D

Strings

0, xrefs: 000D5430

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 41147ff156c59c31bd920e4003bc764bd838674827274f751d608bc741f02014
Instruction ID: bf680cf5e32897250bb7d1d671001e53d6d5179fb87a651943eb4595f52c2c88
Opcode Fuzzy Hash: 41147ff156c59c31bd920e4003bc764bd838674827274f751d608bc741f02014
Instruction Fuzzy Hash: 94510171104B019BD7969F28DC41BAFB7E9AF85356F04062BFCA5D3291EB60CD848B62

Function 000D0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000D027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000D02B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000D02C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000D0344

Strings

DllGetClassObject, xrefs: 000D02B7

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: c14dbe02eca734f3dec4858bf7518747df83fbcfa93b2d20c2fc00a9dd8af461
Instruction ID: 1117ef1c2a18845a3fbfcfd9531958f17484de4c72ad7c275dbd60bc811d3f8c
Opcode Fuzzy Hash: c14dbe02eca734f3dec4858bf7518747df83fbcfa93b2d20c2fc00a9dd8af461
Instruction Fuzzy Hash: D04119B1600308AFDB59CF64C985B9A7BB9EF44314F1480AAE90D9F256D7B1DA44CBA0

Function 000D5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D5075
GetMenuItemInfoW.USER32 ref: 000D5091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 000D50D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00151708,00000000), ref: 000D5120

Strings

0, xrefs: 000D506D

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: f1b03624f5a279b8480bdfe9f1d67e89c584a0162ac0f8b3d585f11e61f6b7c1
Instruction ID: 4f12055fdf1cc1dd9d6f9787596e34c178a9ad6c9732682019a4173ff6f109ae
Opcode Fuzzy Hash: f1b03624f5a279b8480bdfe9f1d67e89c584a0162ac0f8b3d585f11e61f6b7c1
Instruction Fuzzy Hash: DF419D752047019FD720DF28DC84BAABBE8AF85325F144A1EF995973D2D730E940CB62

Function 000DE698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 000DE742
GetLastError.KERNEL32(?,00000000), ref: 000DE768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 000DE78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 000DE7B9

Strings

p1Mw`KNw, xrefs: 000DE78D

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID: p1Mw`KNw
API String ID: 3321077145-3626030660
Opcode ID: 0a5f7e4267fdcc22be3f31b79dd6cff5fed29d03aadb9517b241f25302123d79
Instruction ID: d92d325e58bff919267779293a89f8ed31d9ea96a0c3877444d8f5b0c5afe2bb
Opcode Fuzzy Hash: 0a5f7e4267fdcc22be3f31b79dd6cff5fed29d03aadb9517b241f25302123d79
Instruction Fuzzy Hash: 62412739200610EFCF11AF28C54598DBBE5BF59720B09C099E906AF7A2CB35FD409B91

Function 000F0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 000F0587

Strings

none, xrefs: 000F0662
winapi, xrefs: 000F05F8
stdcall, xrefs: 000F0609
cdecl, xrefs: 000F05DE

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 88b318dd85a4827aebf1002ea9f7e8c7b905746b424021e1676b25d176670313
Instruction ID: ac7a1f1fc7257c94301c7f47695295e0794880ac0f9b60de397c57ce0c6f706c
Opcode Fuzzy Hash: 88b318dd85a4827aebf1002ea9f7e8c7b905746b424021e1676b25d176670313
Instruction Fuzzy Hash: 5031E23050021AAFCF00EF94CD519FEB3B4FF45324B008629E926A76D2DB71E906DB80

Function 000CB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000CB88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000CB8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 000CB8D1

Strings

ListBox, xrefs: 000CB84D
ComboBox, xrefs: 000CB815

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 4b5abc84fd9aad6d0136c17585c7a3e2764ff99515d7fbcf7f13fade1cf76b25
Instruction ID: 9ecd843b83c66e4add4d65c9ff5ff927db75c919686d9b06d115171ffed1a096
Opcode Fuzzy Hash: 4b5abc84fd9aad6d0136c17585c7a3e2764ff99515d7fbcf7f13fade1cf76b25
Instruction Fuzzy Hash: E621AD76900108BFDB18ABA4D887EFE77B8DF46350F14412DF426A71E2DB75490ADB60

Function 000E43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000E4401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000E4427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000E4457
InternetCloseHandle.WININET(00000000), ref: 000E449E

Part of subcall function 000E5052: GetLastError.KERNEL32(?,?,000E43CC,00000000,00000000,00000001), ref: 000E5067

Strings

, xrefs: 000E4450

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: c0efdea057fd209262581b4962e97b7637ba8f78fba1986ac6360a3a5ac0ef43
Instruction ID: afd81208742b46da4052e97915e5fcc2474ecee88e4ce7e12fceaf11368e7321
Opcode Fuzzy Hash: c0efdea057fd209262581b4962e97b7637ba8f78fba1986ac6360a3a5ac0ef43
Instruction Fuzzy Hash: 3C21CFB2600208BFE7259F56DC85EFFB6ECEB88748F10841AF209E2181EA748D459770

Function 000F90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 000AD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000AD1BA
Part of subcall function 000AD17C: GetStockObject.GDI32(00000011), ref: 000AD1CE
Part of subcall function 000AD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 000AD1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 000F915C
LoadLibraryW.KERNEL32(?), ref: 000F9163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 000F9178
DestroyWindow.USER32(?), ref: 000F9180

Strings

SysAnimate32, xrefs: 000F9137

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 96a11726eb026171554f4e9a2ce33c96a86c6715051fbb42618b27ebdc3278cb
Instruction ID: bd4e27696024daa5a7164b8b6aaf44c441cff31b8885b54562cfd9029822fc17
Opcode Fuzzy Hash: 96a11726eb026171554f4e9a2ce33c96a86c6715051fbb42618b27ebdc3278cb
Instruction Fuzzy Hash: 6C218E7160020ABBEF204E649C85FBA37EDFB99364F104628FA1492590C771DC91B760

Function 000D9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 000D9588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000D95B9
GetStdHandle.KERNEL32(0000000C), ref: 000D95CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 000D9605

Strings

nul, xrefs: 000D9600

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 4ed36096979c469d332aa6716165ec826bfc95c129bbecfa21399ba01416a716
Instruction ID: b01a9489e2570382cb0a976e30d884b5f5b1fa552bb329b0e10a621e62b1479c
Opcode Fuzzy Hash: 4ed36096979c469d332aa6716165ec826bfc95c129bbecfa21399ba01416a716
Instruction Fuzzy Hash: CD215E70600705EBDB259F25EC05ADE7BE8AF55720F204A2AF9A1D73D4D770D940CB20

Function 000D9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 000D9653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000D9683
GetStdHandle.KERNEL32(000000F6), ref: 000D9694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 000D96CE

Strings

nul, xrefs: 000D96C9

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3c20f16d2162ef74eda41af9dd1a87d0b751caae473d0888cdd1e1e7b2393776
Instruction ID: 7430c5f0096bccb2581223428a2c26d61817c6fcab3bf051dd5421923f7d9b57
Opcode Fuzzy Hash: 3c20f16d2162ef74eda41af9dd1a87d0b751caae473d0888cdd1e1e7b2393776
Instruction Fuzzy Hash: 3E217F71600305ABDB249F699C44EDEB7E8AF55724F204A5AF9A1E73D0E770D841CB70

Function 000CC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000CC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 000CC84A
Part of subcall function 000CC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000CC85D
Part of subcall function 000CC82D: GetCurrentThreadId.KERNEL32 ref: 000CC864
Part of subcall function 000CC82D: AttachThreadInput.USER32(00000000), ref: 000CC86B

GetFocus.USER32 ref: 000CCA05

Part of subcall function 000CC876: GetParent.USER32(?), ref: 000CC884

GetClassNameW.USER32(?,?,00000100), ref: 000CCA4E
EnumChildWindows.USER32(?,000CCAC4), ref: 000CCA76
__swprintf.LIBCMT ref: 000CCA90

Strings

%s%d, xrefs: 000CCA8A

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 4ec1e7f99f8442cbea5d153fbbfd427cf1dd62d1cc8f56d1209bfd2b37a7bd88
Instruction ID: 077d52a8ad68907e2684039bbd276095b63e6aeb72f78babfcd1577097455c29
Opcode Fuzzy Hash: 4ec1e7f99f8442cbea5d153fbbfd427cf1dd62d1cc8f56d1209bfd2b37a7bd88
Instruction Fuzzy Hash: 51114F716002096BEF11BFA0DC99FEE3769AB45714F04806AFA0CAA187DB709945DB71

Function 000B7452 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000B7A0D: __getptd_noexit.LIBCMT ref: 000B7A0E

__lock.LIBCMT ref: 000B748F
InterlockedDecrement.KERNEL32(?), ref: 000B74AC
_free.LIBCMT ref: 000B74BF
InterlockedIncrement.KERNEL32(00E02D40), ref: 000B74D7

Strings

@-, xrefs: 000B74C5, 000B74CD

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID: @-
API String ID: 2704283638-3099210348
Opcode ID: 1514e5d1e71368639ab162ef9d9d4a3b012327051930a18fe155329508203e2f
Instruction ID: d550f852673bfbbeac7cf6df4f02b03f092cbacb1350311a2498e3cf4bcc5890
Opcode Fuzzy Hash: 1514e5d1e71368639ab162ef9d9d4a3b012327051930a18fe155329508203e2f
Instruction Fuzzy Hash: 6B01493190A620ABD762AF34A5057DDBBA0BF85712F154009F41CB3A91CB345D80CFD3

Function 000F1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 000F19F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 000F1A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 000F1B49
CloseHandle.KERNEL32(?), ref: 000F1BBF

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 66a4806f8b3f961896faa6194e6746786cf6660e4ecbd06f614ef9904888c803
Instruction ID: 6ee2b37e84d45f8e260da7d144632d17a617abe7440bd2d3d988fb09bd95bc06
Opcode Fuzzy Hash: 66a4806f8b3f961896faa6194e6746786cf6660e4ecbd06f614ef9904888c803
Instruction Fuzzy Hash: 92817274600204EBDF14EFA4C886BEDBBE5AF05720F14C459FA05AF782D7B5A941DB90

Function 000FE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 000FE1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 000FE20D
IsDlgButtonChecked.USER32(?,00000001), ref: 000FE248
GetWindowLongW.USER32(?,000000EC), ref: 000FE269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 000FE281

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 427b35ca34c07af22110f864ccd19ff3a2e02695cea50c7761de8346e9603bfb
Instruction ID: 0e097ce090cfb0b3e14eb5be82163a9a131bac86a8865347b4d8d63182847725
Opcode Fuzzy Hash: 427b35ca34c07af22110f864ccd19ff3a2e02695cea50c7761de8346e9603bfb
Instruction Fuzzy Hash: 58618034A00288AFDB65CF59C854FFA77FAFF89300F148459FA559B6A1C774A980EB10

Function 000D1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000D1CB4
VariantClear.OLEAUT32(00000013), ref: 000D1D26
VariantClear.OLEAUT32(00000000), ref: 000D1D81
VariantClear.OLEAUT32(?), ref: 000D1DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000D1E26

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: a42bc0ca35b3a94e0268b57406b0dd340ae385c56741d575e5d44e226a94f1b8
Instruction ID: 5b3cdf9529fa659308d710b5cab26688cc3f81b34eb63670dd2b2972675fc336
Opcode Fuzzy Hash: a42bc0ca35b3a94e0268b57406b0dd340ae385c56741d575e5d44e226a94f1b8
Instruction Fuzzy Hash: 005147B5A00209EFDB14CF58D880AEAB7F9FF4C314B15855AE959DB301E730EA51CBA0

Function 000F0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0009936C: __swprintf.LIBCMT ref: 000993AB
Part of subcall function 0009936C: __itow.LIBCMT ref: 000993DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 000F06EE
GetProcAddress.KERNEL32(00000000,?), ref: 000F077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 000F079B
GetProcAddress.KERNEL32(00000000,?), ref: 000F07E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 000F07FB

Part of subcall function 000AE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,000DA574,?,?,00000000,00000008), ref: 000AE675
Part of subcall function 000AE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,000DA574,?,?,00000000,00000008), ref: 000AE699

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: ee729af27abcbf1117779c2970d09b136c7ad5f07ecfceb6c231a87af7d030ac
Instruction ID: 8ca96aea1f4918e65bc2402f51834259a0867b7949006bf6d2ec9892152a0aa6
Opcode Fuzzy Hash: ee729af27abcbf1117779c2970d09b136c7ad5f07ecfceb6c231a87af7d030ac
Instruction Fuzzy Hash: EE512875A00209EFCF14EFA8C491DEDB7B5BF59310B048096EA55AB352DB30ED46EB90

Function 000F2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000F2BB5,?,?), ref: 000F3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000F2EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000F2F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000F2F75
RegCloseKey.ADVAPI32(?,?), ref: 000F2FA1
RegCloseKey.ADVAPI32(00000000), ref: 000F2FAE

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 881c309d4cd1aba231213c15843b7f840f34731043021ed11cd28a7d965bd994
Instruction ID: 85ee9f06fb6ba7a6846da1291a5d72c25b61cc9727b568a1360176961d9f78ad
Opcode Fuzzy Hash: 881c309d4cd1aba231213c15843b7f840f34731043021ed11cd28a7d965bd994
Instruction Fuzzy Hash: 84513D71618204AFDB14EF54C891EAEB7F9FF88314F04882DF65597292DB30E905DB52

Function 000FCCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c321190fd3d0c8081b3274288695d41566eab65d62cdb219a566a4625151c351
Instruction ID: 05ecb6fea6bf493e1dc8a4671153b6ae3dbbbb617b18b5d2b965376f1a7a1632
Opcode Fuzzy Hash: c321190fd3d0c8081b3274288695d41566eab65d62cdb219a566a4625151c351
Instruction Fuzzy Hash: 7D41D43990021CABE764DB28CE46FFD7BA8EB09310F154165EA19A7AD1C770AD40E650

Function 000E1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000E12B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 000E12DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 000E131C

Part of subcall function 0009936C: __swprintf.LIBCMT ref: 000993AB
Part of subcall function 0009936C: __itow.LIBCMT ref: 000993DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 000E1341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 000E1349

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 7e19e326e13a6f4c9c8203144dcb2aa7db942b6862023c51e931f3067a21ac52
Instruction ID: 30c2b19ec280e34d8ba33fef0094c392263e49ca8d24f58ab1b9ab5e65861f9c
Opcode Fuzzy Hash: 7e19e326e13a6f4c9c8203144dcb2aa7db942b6862023c51e931f3067a21ac52
Instruction Fuzzy Hash: AA41F935A00105EFDF05EF64C9819AEBBF5FF09310B148099E90AAB362DB31EE41DB50

Function 000AB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 000AB64F
ScreenToClient.USER32(00000000,000000FF), ref: 000AB66C
GetAsyncKeyState.USER32(00000001), ref: 000AB691
GetAsyncKeyState.USER32(00000002), ref: 000AB69F

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f98de57bdaa7b76c26abe2fb98eeb8bcde6da77a8d62595b05ce13e13e60293a
Instruction ID: dc0b288ddfeb667c8ca9e86cc3278a0ff9f948ee35384ed54936382585ed36c4
Opcode Fuzzy Hash: f98de57bdaa7b76c26abe2fb98eeb8bcde6da77a8d62595b05ce13e13e60293a
Instruction Fuzzy Hash: E5418F3560411AFBCF199FA4C844AEDBBB4FB06324F108319F869962D1CB74AD94EF91

Function 000CB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000CB369
PostMessageW.USER32(?,00000201,00000001), ref: 000CB413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 000CB41B
PostMessageW.USER32(?,00000202,00000000), ref: 000CB429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 000CB431

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 9539e1527c39bcc9b28c9604f4768d0dcccd9d7b6bb1c2b3259dbbddf3d13ba8
Instruction ID: 1b8b32d08f03d9e9db3ec5eec4d3af2e9eee23f9ad359d118b72e31629479190
Opcode Fuzzy Hash: 9539e1527c39bcc9b28c9604f4768d0dcccd9d7b6bb1c2b3259dbbddf3d13ba8
Instruction Fuzzy Hash: 4F31A071900659EBDF14CFA8D94EBDE7BB5EB04315F118229F921A71D1C3B09A54CB90

Function 000CDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 000CDBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000CDBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000CDC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000CDC52
_wcsstr.LIBCMT ref: 000CDC5C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 12afca446466b5e60278c5f67afb3f1b7822ac1727769908ba142317aaffee3c
Instruction ID: 1d151d66676019be31739d821a99d7ab732555c956b4e980f2b59a7381ca5826
Opcode Fuzzy Hash: 12afca446466b5e60278c5f67afb3f1b7822ac1727769908ba142317aaffee3c
Instruction Fuzzy Hash: D821D771204205BBEB255B79ED89FBF7BA8DF45750F10803EF909CA191EAA1DC41D660

Function 000FDE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 000AB34E: GetWindowLongW.USER32(?,000000EB), ref: 000AB35F

GetWindowLongW.USER32(?,000000F0), ref: 000FDEB0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 000FDED4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 000FDEEC
GetSystemMetrics.USER32(00000004), ref: 000FDF14
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,000E3A1E,00000000), ref: 000FDF32

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 0674f16bbf48473d299596ac8aba5d3273fc9dbf548d89aea094614b661188f6
Instruction ID: 1283bf8d3d0a8856dd5c4ca5b7271ac30391565c090eaf1a4233c713f30360f7
Opcode Fuzzy Hash: 0674f16bbf48473d299596ac8aba5d3273fc9dbf548d89aea094614b661188f6
Instruction Fuzzy Hash: 1B21C17161021AAFCB605F789D48BBA37E6FB15325F150336FA26CADE0D7709850EB80

Function 000CBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000CBC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000CBCC2
__itow.LIBCMT ref: 000CBCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000CBD00
__itow.LIBCMT ref: 000CBD11

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: a1970ae97703b80c78c96a644e3e8773055cec2579bfb19f89f9e4e38248d06f
Instruction ID: c932a10873ddbf96778b3e8e40ca66b371e08fcd828663f2b4944e7b1630527e
Opcode Fuzzy Hash: a1970ae97703b80c78c96a644e3e8773055cec2579bfb19f89f9e4e38248d06f
Instruction Fuzzy Hash: 5421DB35700618BBDB21AF659C87FDF7BADAF59710F104028F906EB182EB708D4587A1

Function 000D6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 000950E6: _wcsncpy.LIBCMT ref: 000950FA

GetFileAttributesW.KERNEL32(?,?,?,?,000D60C3), ref: 000D6369
GetLastError.KERNEL32(?,?,?,000D60C3), ref: 000D6374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000D60C3), ref: 000D6388
_wcsrchr.LIBCMT ref: 000D63AA

Part of subcall function 000D6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,000D60C3), ref: 000D63E0

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 108d9c1b30a105b4a5afc133ad1a8025d1a79a1e6139d62c344bee7c2cd2b2fe
Instruction ID: db478d1684a6dc396599e6e2a9731fd5c9b66a909985200fd9b9aca9202d4a5c
Opcode Fuzzy Hash: 108d9c1b30a105b4a5afc133ad1a8025d1a79a1e6139d62c344bee7c2cd2b2fe
Instruction Fuzzy Hash: B121D8319043155BDB25EBB8AC42FEE23ACAF06360F104467F055D32C2EBA2DA848A75

Function 000E8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000EA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000EA84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000E8BD3
WSAGetLastError.WSOCK32(00000000), ref: 000E8BE2
connect.WSOCK32(00000000,?,00000010), ref: 000E8BFE

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 396c53c28cac5fb763901574a3e281907465d08e5bd6d3b3c4e53c39fbfc24c5
Instruction ID: 77069167ea57d323ef5c92459a8521a2e6de174bb1722acb029256e5d0d83aa4
Opcode Fuzzy Hash: 396c53c28cac5fb763901574a3e281907465d08e5bd6d3b3c4e53c39fbfc24c5
Instruction Fuzzy Hash: 8A21AC31200214AFDB14AF68DD85FBE77A9AF49724F048459F916AB3D2CB70A8418B61

Function 000E8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 000E8441
GetForegroundWindow.USER32 ref: 000E8458
GetDC.USER32(00000000), ref: 000E8494
GetPixel.GDI32(00000000,?,00000003), ref: 000E84A0
ReleaseDC.USER32(00000000,00000003), ref: 000E84DB

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0d16fb13b436a059af28422f3ff45f573a02da55d6838158bd33351033091173
Instruction ID: 8cca411a3ff196388800702305be80d135fc72d162c8b536137dd6ea7ee98503
Opcode Fuzzy Hash: 0d16fb13b436a059af28422f3ff45f573a02da55d6838158bd33351033091173
Instruction Fuzzy Hash: 39216275A00204AFD704DFA5D945AAEB7E5EF48341F04C479E859A7652DE70AC40DB60

Function 000AAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 000AAFE3
SelectObject.GDI32(?,00000000), ref: 000AAFF2
BeginPath.GDI32(?), ref: 000AB009
SelectObject.GDI32(?,00000000), ref: 000AB033

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ee5ca4f1c315b2c7e0a8e34cb1e75f94f01b4e2f89bd30348d2264648d2d5a2a
Instruction ID: efd681ff0347714e6fcc4191d25fd84f875add054cf101389035058225a588d6
Opcode Fuzzy Hash: ee5ca4f1c315b2c7e0a8e34cb1e75f94f01b4e2f89bd30348d2264648d2d5a2a
Instruction Fuzzy Hash: 9D217170900305FFDB26DF95EC44B9A7BA8B712356F14432AF4259A5A1D3B048D1CF51

Function 000B217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 000B21A9
CreateThread.KERNEL32(?,?,000B22DF,00000000,?,?), ref: 000B21ED
GetLastError.KERNEL32 ref: 000B21F7
_free.LIBCMT ref: 000B2200
__dosmaperr.LIBCMT ref: 000B220B

Part of subcall function 000B7C0E: __getptd_noexit.LIBCMT ref: 000B7C0E

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: b154539164eb3bddb11617a08dfc0fc0379cb34fdd06a6db98b08eb958d3028a
Instruction ID: 62ea5e4fb09c5c612f3de92fd087f466dcf9d0798d8b60463fa41d19597f8d65
Opcode Fuzzy Hash: b154539164eb3bddb11617a08dfc0fc0379cb34fdd06a6db98b08eb958d3028a
Instruction Fuzzy Hash: 4011DB33104306AFDB11AF69DD41DDB7BD8EF457707100429F928D6152DB71D85197A1

Function 000CABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 000CABD7
GetLastError.KERNEL32(?,000CA69F,?,?,?), ref: 000CABE1
GetProcessHeap.KERNEL32(00000008,?,?,000CA69F,?,?,?), ref: 000CABF0
RtlAllocateHeap.KERNEL32(00000000,?,000CA69F,?,?,?), ref: 000CABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 000CAC0E

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 3bc005639e4d41a28849969b0cfb2a831a5f0be4ee0eb0dd2d39f3231518c8b8
Instruction ID: 288ec4fe4aa410ea6d4b9840d96c7b920f77ea1f71a01e2affbbb9f224a9d711
Opcode Fuzzy Hash: 3bc005639e4d41a28849969b0cfb2a831a5f0be4ee0eb0dd2d39f3231518c8b8
Instruction Fuzzy Hash: C0011DB1310208BFDB144FA5ED88EAF3BADEF8A7597104429F945C3260D6719C80CB61

Function 000D7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000D7A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 000D7A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000D7A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 000D7A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000D7AD0

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: c40023bade8b20de62c78df865a253ea90c4c33d10fdf4b22fda807f2e9169ad
Instruction ID: 211453d5474b733b46b2259d7a69d32caf1b932beccd39113f476b8db7abc46c
Opcode Fuzzy Hash: c40023bade8b20de62c78df865a253ea90c4c33d10fdf4b22fda807f2e9169ad
Instruction Fuzzy Hash: 5B014C35C04729EBCF14AFE8ED48ADDBBB8FF48711F014456E506B2650EB34969087B2

Function 000C9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 000C9ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 000C9AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 000C9B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 000C9B15
CLSIDFromString.OLE32(?,?), ref: 000C9B21

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 83a9d9ffda3bbda802716f50e47fcad9e8bc9c49a75b2d60baa16462252fd482
Instruction ID: a000a818ac88021f6dac46c2df3cd8a55c18748a4c0080fb33b321fd6c9657da
Opcode Fuzzy Hash: 83a9d9ffda3bbda802716f50e47fcad9e8bc9c49a75b2d60baa16462252fd482
Instruction Fuzzy Hash: AB018BB6600218BFDB144F68EE48FAEBBFDEB44752F148028F905D2210D771DD809BA0

Function 000CAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000CAA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000CAA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000CAA92
RtlAllocateHeap.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000CAA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000CAAAF

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: ebe198b54f24dc76a4e6adea057cf2f0650e4c8bd7aca3ab6c91efcadd4e2028
Instruction ID: f304f8493be7b65083fa304cb9440f972588f8f7cf51c37c2e2b0d5140e21f42
Opcode Fuzzy Hash: ebe198b54f24dc76a4e6adea057cf2f0650e4c8bd7aca3ab6c91efcadd4e2028
Instruction Fuzzy Hash: A5F03C752402187FEB155FA4BD89FAB3BACFB4A758B00441DF941C6190DB609C81CA72

Function 000CAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000CAADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000CAAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000CAAF3
RtlAllocateHeap.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000CAAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000CAB10

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 797bb5d65ab8b701aa8f1a1540858dd973733fca028fb849e190caa50da51777
Instruction ID: 34a4324930e8372de54b4c0998fd08c62d00f600153f64ea3a346fda1913b3d4
Opcode Fuzzy Hash: 797bb5d65ab8b701aa8f1a1540858dd973733fca028fb849e190caa50da51777
Instruction Fuzzy Hash: 3CF03C753402186FEB154FA4EC98FAB3BADFB4A758F004029FA41C7190CB609C418A61

Function 000CEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 000CEC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 000CECAB
MessageBeep.USER32(00000000), ref: 000CECC3
KillTimer.USER32(?,0000040A), ref: 000CECDF
EndDialog.USER32(?,00000001), ref: 000CECF9

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 3cb092eba4f1caeb681ae49a4f1fc5e41014cac3e1f10b7b146d55af24ff2aa7
Instruction ID: 9209b32d2a1419d0324bd66be2fd8ce2fd847a0bd92268ce37d1718094f01df9
Opcode Fuzzy Hash: 3cb092eba4f1caeb681ae49a4f1fc5e41014cac3e1f10b7b146d55af24ff2aa7
Instruction Fuzzy Hash: D601AD30500754ABEB285B50EE8EFDA7BB8BB00705F00455DA582A18E0DBF0AA85CB41

Function 000AB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000AB0BA
StrokeAndFillPath.GDI32(?,?,0010E680,00000000,?,?,?), ref: 000AB0D6
SelectObject.GDI32(?,00000000), ref: 000AB0E9
DeleteObject.GDI32 ref: 000AB0FC
StrokePath.GDI32(?), ref: 000AB117

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 81c3c272a3908ca143e794cdcd7d7f99ab00e1457af93ce8ab52ba4528b08e2f
Instruction ID: d0e672b49ddf2406bde782a209d05c47acf7691f428a6be93f885d4879781447
Opcode Fuzzy Hash: 81c3c272a3908ca143e794cdcd7d7f99ab00e1457af93ce8ab52ba4528b08e2f
Instruction Fuzzy Hash: CEF0F630100704EFCB269FA9FD087993BA4A701362F488318F429488F1C77489D5CF10

Function 000DF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000DF2DA
CoCreateInstance.OLE32(0011DA7C,00000000,00000001,0011D8EC,?), ref: 000DF2F2
CoUninitialize.OLE32 ref: 000DF555

Strings

.lnk, xrefs: 000DF28B, 000DF290, 000DF29E

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: c9b154823d9000342fb2efd1f379c161da18ea78c789b38eff11bd1de9659ca4
Instruction ID: b8af475cb105015dc44946db494713065689b3ee9b07226fdce4f5486edc0d67
Opcode Fuzzy Hash: c9b154823d9000342fb2efd1f379c161da18ea78c789b38eff11bd1de9659ca4
Instruction Fuzzy Hash: D9A12C71504301AFD700EFA4C892DEBB7E8EF99714F00492DF55697292EB70EA49CB62

Function 000DE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0009660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000953B1,?,?,000961FF,?,00000000,00000001,00000000), ref: 0009662F

CoInitialize.OLE32(00000000), ref: 000DE85D
CoCreateInstance.OLE32(0011DA7C,00000000,00000001,0011D8EC,?), ref: 000DE876
CoUninitialize.OLE32 ref: 000DE893

Part of subcall function 0009936C: __swprintf.LIBCMT ref: 000993AB
Part of subcall function 0009936C: __itow.LIBCMT ref: 000993DF

Strings

.lnk, xrefs: 000DE83B, 000DE84D

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 05941dfcfe03d392da74a7eb2a099189f0ed67ed88edcfad89295c2bf067d0ac
Instruction ID: 4b071e1df722ce1f7b81d02f2c5a3e8c0b2a038f23a8e304905bcec42fc7c85c
Opcode Fuzzy Hash: 05941dfcfe03d392da74a7eb2a099189f0ed67ed88edcfad89295c2bf067d0ac
Instruction Fuzzy Hash: AAA15735604341AFCB14EF24C894D9EBBE5BF88310F048959F9969B3A2CB32ED45CB91

Function 000B325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 000B32ED

Part of subcall function 000BE0D0: __87except.LIBCMT ref: 000BE10B

Strings

pow, xrefs: 000B32C5, 000B32E2

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 820451699ae448ec3fbbf66078bb29f9d485b7105ed015723817a4ab47f91afb
Instruction ID: 13f527e55fae45ec5cb72d4def94edb10c7cdd33dc3f8b2edf436764281202e4
Opcode Fuzzy Hash: 820451699ae448ec3fbbf66078bb29f9d485b7105ed015723817a4ab47f91afb
Instruction Fuzzy Hash: 0B512771A08241A6DB65B718CD413FF2BD4DB41B10F308D68F4D6862AADF34CED89A46

Function 00091F21 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

+, xrefs: 00091F5D
#, xrefs: 00091F64

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: f241f23d3ba930e37626e0eaae451b9f1034cd92e9ff25a2dbffe16d1d8e1eb2
Instruction ID: ed4e3478cf45253c26ad88aad542b442e3beb41bade566885bfb9ac92b85836b
Opcode Fuzzy Hash: f241f23d3ba930e37626e0eaae451b9f1034cd92e9ff25a2dbffe16d1d8e1eb2
Instruction Fuzzy Hash: F6512135604256EFDF25DF28C440AFA7BA8AFA5310F144055E8E1EB2E2D7B4DE82D760

Function 000D4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0012DC50,?,0000000F,0000000C,00000016,0012DC50,?), ref: 000D4645

Part of subcall function 0009936C: __swprintf.LIBCMT ref: 000993AB
Part of subcall function 0009936C: __itow.LIBCMT ref: 000993DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 000D46C5

Strings

REMOVE, xrefs: 000D4676
THIS, xrefs: 000D4703

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: 7000ce70c4f39776b2a6d46c69321b334113f2097bbc6b21e2dc39c87e51d638
Instruction ID: ae89fc045c4b55abbdab52e69e40e1375d5f651843b4ab8df6ec5a3a1d71d40b
Opcode Fuzzy Hash: 7000ce70c4f39776b2a6d46c69321b334113f2097bbc6b21e2dc39c87e51d638
Instruction Fuzzy Hash: 5C415D74A042199FCF00EFA4C881AEEB7B5FF49314F14805AE916AB392DB35DD45DB60

Function 000CC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000D430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000CBC08,?,?,00000034,00000800,?,00000034), ref: 000D4335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000CC1D3

Part of subcall function 000D42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000CBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 000D4300

Part of subcall function 000D422F: GetWindowThreadProcessId.USER32(?,?), ref: 000D425A
Part of subcall function 000D422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000CBBCC,00000034,?,?,00001004,00000000,00000000), ref: 000D426A
Part of subcall function 000D422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000CBBCC,00000034,?,?,00001004,00000000,00000000), ref: 000D4280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000CC240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000CC28D

Strings

@, xrefs: 000CC2A5

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 2f125f2d0a1fb1fcd3065b0918ead8c9521878437d1c1037a213e35342ff6823
Instruction ID: 8bef4cf06c0e6c8e3ece156d4c32ad15ccf3c9787d8bd94cda007669ba4a603d
Opcode Fuzzy Hash: 2f125f2d0a1fb1fcd3065b0918ead8c9521878437d1c1037a213e35342ff6823
Instruction Fuzzy Hash: 45410976900218AFDB11DFA4CD81EEEB7B8AF09700F144099FA55B7281DA716E85CBA1

Function 000FA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0012DC00,00000000,?,?,?,?), ref: 000FA6D8
GetWindowLongW.USER32 ref: 000FA6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000FA705

Strings

SysTreeView32, xrefs: 000FA6AA

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e7094869f2f270b7b032707aa1daf961d4934a26c55b54a20e0deb6277a98ac8
Instruction ID: 2f7e4469e3c87c897a39680860713bd3f2035c051aacd2a5732b339e12d72aaf
Opcode Fuzzy Hash: e7094869f2f270b7b032707aa1daf961d4934a26c55b54a20e0deb6277a98ac8
Instruction Fuzzy Hash: F931BE71204209AFDB219F38DC41BEA7BA9EB4A324F284715F979D36E1C770A850AB50

Function 000FA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 000FA15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 000FA172
SendMessageW.USER32(?,00001002,00000000,?), ref: 000FA196

Strings

SysMonthCal32, xrefs: 000FA129

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: d99b1bb4654bb73888395393b24700f2b897e552547dba54e73fdb5bae5e0874
Instruction ID: e87aad6da55108a3e782ae109a7ea533ae914716bfb4b16a0297f1310551ff0e
Opcode Fuzzy Hash: d99b1bb4654bb73888395393b24700f2b897e552547dba54e73fdb5bae5e0874
Instruction Fuzzy Hash: E4219F72610218BBDF158F94CC42FEA3BB9FF49714F110214FA596B1D0D6B5AC91DBA0

Function 000FA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 000FA941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 000FA94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 000FA956

Strings

msctls_updown32, xrefs: 000FA8BB

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5001f70b773779b773cd58d395d2fb9d2563421c235350ce0e6ea0ddd011c66f
Instruction ID: 5ff65b0d5d44506c60bcef831ac03ec780b7833e44875be25f96673e5f20b625
Opcode Fuzzy Hash: 5001f70b773779b773cd58d395d2fb9d2563421c235350ce0e6ea0ddd011c66f
Instruction Fuzzy Hash: D2218EB5600209BFDB11DF18DC91DB737EDEB5A3A4B050059FA089B662CBB0EC52DB61

Function 000F99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 000F9A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 000F9A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 000F9A65

Strings

Listbox, xrefs: 000F99FD

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 7fd53fdb2fcee4f1b29dce4c18f5ca9116a839ec80821e5349e088b1372e8c4c
Instruction ID: 9f2f38d97e38cad9f25861ec86732b7de535a86bbddeebee2c8e87e8fe75dc53
Opcode Fuzzy Hash: 7fd53fdb2fcee4f1b29dce4c18f5ca9116a839ec80821e5349e088b1372e8c4c
Instruction Fuzzy Hash: 0C21B33261011CBFDB658F54DC85FBB3BAAEF89750F018129FA445B5A0C6B19C5197A0

Function 000FA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 000FA46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 000FA482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 000FA48F

Strings

msctls_trackbar32, xrefs: 000FA444

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: db5c02a92ce28f12a48975e9d31378f9f5a440f47b93fce285da0b5c81738ed2
Instruction ID: 1e76bb8366142123823b43478f94afbf3699876148d3e8ed9217323f5ce1f051
Opcode Fuzzy Hash: db5c02a92ce28f12a48975e9d31378f9f5a440f47b93fce285da0b5c81738ed2
Instruction Fuzzy Hash: 9711E3B1240208BEEF255F64CC49FEB3BA9EFC9754F014118FB49A60A1D6B6E851DB20

Function 000B2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 000B22A1
GetProcAddress.KERNEL32(00000000), ref: 000B22A8

Strings

RoInitialize, xrefs: 000B2290
combase.dll, xrefs: 000B229C

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: b07892f6c655eb9961cacdba464501ea26362eb271db2f658f3f2f72dbb9a8cb
Instruction ID: dcf424b9fe4f8464f157c5fdfea3939d8c3205093ecffed9d00ab652caf71c1d
Opcode Fuzzy Hash: b07892f6c655eb9961cacdba464501ea26362eb271db2f658f3f2f72dbb9a8cb
Instruction Fuzzy Hash: F1E0E5746D4710AADB555BA0BD8AB9837A5AB05706F504020B102DA8A0DBB480C0CB06

Function 000B235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,000B2276), ref: 000B2376
GetProcAddress.KERNEL32(00000000), ref: 000B237D

Strings

RoUninitialize, xrefs: 000B2365
combase.dll, xrefs: 000B2371

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 068c478dce16000085750527606c37f688962dd02c8ff81eb7125a75df3a5e67
Instruction ID: ab66247a8dc6b46656efa88324041eaae8ab80852d8027bfd28922bd1f76d558
Opcode Fuzzy Hash: 068c478dce16000085750527606c37f688962dd02c8ff81eb7125a75df3a5e67
Instruction Fuzzy Hash: 75E0ECB45C8700EFDB665FA0FD4DB843AA5BB09B03F124424F50AD68B0DBB895C0CB16

Function 0010AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0010AC60
__swprintf.LIBCMT ref: 0010AC94

Strings

WIN_XPe, xrefs: 0010ACD3
%.3d, xrefs: 0010AC6E

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 59e2b1f69ace59bcf0d970ac6a154127ca50ca0e55958707e77684038251a0a0
Instruction ID: f3ead4815481f059b04a20fb9fc0a31e2220c664662dcac829e8307ab3adac07
Opcode Fuzzy Hash: 59e2b1f69ace59bcf0d970ac6a154127ca50ca0e55958707e77684038251a0a0
Instruction Fuzzy Hash: A4E0127180471CDBDB189790DF05DFA737CAF04741F920092F947A2490D7759B84AA13

Function 000F2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000F21FB,?,000F23EF), ref: 000F2213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 000F2225

Strings

GetProcessId, xrefs: 000F221F
kernel32.dll, xrefs: 000F220E

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: c60ac4159abece770ea645004e8dc5ea9b6a9b43f912a70f636cf0c132919011
Instruction ID: 7357a6f6ddba5359a2eb474f4df2755e4ffbbbff3dc64dce02f7ddce4dd74402
Opcode Fuzzy Hash: c60ac4159abece770ea645004e8dc5ea9b6a9b43f912a70f636cf0c132919011
Instruction Fuzzy Hash: 31D0A734800716FFD7654F30F90965176D4EB05300B00841DE841E29A0E770D8C09660

Function 000942F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,000942EC,?,000942AA,?), ref: 00094304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00094316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00094310
kernel32.dll, xrefs: 000942FF

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 91fbeb2f1b820d3fa189a39c8485d92d97bc0f395026314cb0cc47bfef7ca308
Instruction ID: 3531c5dc50c54bd747b69cd05be20df1de3b1c8540ac250d768ac00d51e1bf7f
Opcode Fuzzy Hash: 91fbeb2f1b820d3fa189a39c8485d92d97bc0f395026314cb0cc47bfef7ca308
Instruction Fuzzy Hash: 73D0A730404712AFCB244F30F80CA4176D4AB08301B00C419E451D2570E7B0D8C08610

Function 0009434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,000941BB,00094341,?,0009422F,?,000941BB,?,?,?,?,000939FE,?,00000001), ref: 00094359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0009436B

Strings

kernel32.dll, xrefs: 00094354
Wow64DisableWow64FsRedirection, xrefs: 00094365

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: a27368224d74148750b67874bd29ff36f530404a0c104837b6a9c70b397b42d1
Instruction ID: 4423cd6eec3c3fb473c29b18995898ae5f3d987445a684c5600ebdfa8103c012
Opcode Fuzzy Hash: a27368224d74148750b67874bd29ff36f530404a0c104837b6a9c70b397b42d1
Instruction Fuzzy Hash: ABD0A770404712AFCB344F30F808A4576D4AB20715B00C429E491D2560E7B0D8C08610

Function 000D0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,000D051D,?,000D05FE), ref: 000D0547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 000D0559

Strings

RegisterTypeLibForUser, xrefs: 000D0553
oleaut32.dll, xrefs: 000D0542

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: b6766fb7b2459310a8fd9ba3d37eeb283103ad4ff44f1ad45526f46f25ada1ae
Instruction ID: b89c1657ef4eb4878e3abe97fdb61d4cb23e790a58f87c81f39f869dee35c1ca
Opcode Fuzzy Hash: b6766fb7b2459310a8fd9ba3d37eeb283103ad4ff44f1ad45526f46f25ada1ae
Instruction Fuzzy Hash: FCD0C770544B22AFD7649F65F80974276E4AB14711FD0C41EFC5AD2664E770CCC48E60

Function 000D0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,000D052F,?,000D06D7), ref: 000D0572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 000D0584

Strings

UnRegisterTypeLibForUser, xrefs: 000D057E
oleaut32.dll, xrefs: 000D056D

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 8f2067e3fb67723573ad04959dc6c0084a696cd77c071fddbe1f3ff5eb4c5bbb
Instruction ID: 4df957738dc24850c9f77487e5a88930b041cd6c3c2f12a50f44170d03f0583f
Opcode Fuzzy Hash: 8f2067e3fb67723573ad04959dc6c0084a696cd77c071fddbe1f3ff5eb4c5bbb
Instruction Fuzzy Hash: F2D09E70904722AAD7645F65B809B427BE4AB04711F90C51AEC55D2664E770D8C48A60

Function 000EECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000EECBE,?,000EEBBB), ref: 000EECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000EECE8

Strings

GetSystemWow64DirectoryW, xrefs: 000EECE2
kernel32.dll, xrefs: 000EECD1

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 01f69334d61a1a8df0a892e91ca77e5254f857fc085270653d951d2d8739bd53
Instruction ID: 5747b354542517360b25d69904646578d7e577962b8c2ac7f418b5731ff6ccaf
Opcode Fuzzy Hash: 01f69334d61a1a8df0a892e91ca77e5254f857fc085270653d951d2d8739bd53
Instruction Fuzzy Hash: 50D0A770500763AFCB245F71F94874276E4AB00300B10C419F849E2560EB70C8C0C610

Function 000EBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,000EBAD3,00000001,000EB6EE,?,0012DC00), ref: 000EBAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 000EBAFD

Strings

kernel32.dll, xrefs: 000EBAE6
GetModuleHandleExW, xrefs: 000EBAF7

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: cd408c8183666f5e53c1db517a6881b89244154cfc833a37268cc49e3cf5632c
Instruction ID: 168e841987313b91ad2c38052526739957142db0ccd0d6118d2229bb3e6852c5
Opcode Fuzzy Hash: cd408c8183666f5e53c1db517a6881b89244154cfc833a37268cc49e3cf5632c
Instruction Fuzzy Hash: D5D0C770900752EFD7746FA5F849B9376D8AB05751B108419F857E2564E7B0D8C0C650

Function 000F3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,000F3BD1,?,000F3E06), ref: 000F3BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000F3BFB

Strings

RegDeleteKeyExW, xrefs: 000F3BF5
advapi32.dll, xrefs: 000F3BE4

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: dec61021bbb8a8b2838bc05aefb38c229aa0b1905df54febbc05b1a80ae9b1b4
Instruction ID: fd7a5b58e0b6ffd21f91f79e393a9ada9775b1d6ec6403842510bacdc88a733e
Opcode Fuzzy Hash: dec61021bbb8a8b2838bc05aefb38c229aa0b1905df54febbc05b1a80ae9b1b4
Instruction Fuzzy Hash: B2D0A7F0400716EFC7285F61F908793BAF4AB01324B118419E445E2960E7B0C4C08F50

Function 000ADF89 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000ADF7F,?,000ADEA0,0012DC38,?,?), ref: 000ADF97
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 000ADFA9

Strings

kernel32.dll, xrefs: 000ADF92
IsWow64Process, xrefs: 000ADFA3

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsWow64Process$kernel32.dll
API String ID: 2574300362-3024904723
Opcode ID: fcac82b7ffe94bfc5cac0ef05482cc89e0be9d33d37c4a5bb694dc1d57f2e8cf
Instruction ID: 72d2a39976e45b9d9a203c9c0a7d3c72388acb7ce768e310d4666f42fa7c000c
Opcode Fuzzy Hash: fcac82b7ffe94bfc5cac0ef05482cc89e0be9d33d37c4a5bb694dc1d57f2e8cf
Instruction Fuzzy Hash: E0D0C770504712AFD7785F65F809693B6D4BB05715B50C43FF857E2A60E770CCC08660

Function 000C9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3745666218f4862ac2ce11f9f81a67c0acce5ed102a9108c32d7e3dacef9c39f
Instruction ID: 130b99b70eb0859b9b2e939d85c56eeadbf18640b21b8f4c4ddb07111b2a846c
Opcode Fuzzy Hash: 3745666218f4862ac2ce11f9f81a67c0acce5ed102a9108c32d7e3dacef9c39f
Instruction Fuzzy Hash: 8EC11975A0021AEBDB14DF94C988FAEB7B5FF48710F10859CE906AB291D731EE41DB90

Function 000EAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000EAAB4
CoUninitialize.OLE32 ref: 000EAABF

Part of subcall function 000D0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000D027B

VariantInit.OLEAUT32(?), ref: 000EAACA
VariantClear.OLEAUT32(?), ref: 000EAD9D

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: b3fdb50c27272acb192a8d22141a4f3f4ce66280926e36eeda6181f02281cb88
Instruction ID: 836f12bd7f4e109c8d153ed20e1c83b2e025bb3876cec5a0cff1e4d487a4f612
Opcode Fuzzy Hash: b3fdb50c27272acb192a8d22141a4f3f4ce66280926e36eeda6181f02281cb88
Instruction Fuzzy Hash: 76A11735204741AFCB10EF65C881B9AB7E5BF89710F148459F996AB3A2CB31FD44CB86

Function 000C91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000C91DD
SysAllocString.OLEAUT32(?), ref: 000C9286
VariantCopy.OLEAUT32 ref: 000C92B5
VariantClear.OLEAUT32(?), ref: 000C92DC

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 8f82e3a4e4aa9eea6db19ecf5533e56b24bba3f8b024c59b6bded7f9d2e6aedd
Instruction ID: 52d67303b0a730e1ec1f0963e6d52a0c54e217bfc459b5888ecc8c6e1f9dbd67
Opcode Fuzzy Hash: 8f82e3a4e4aa9eea6db19ecf5533e56b24bba3f8b024c59b6bded7f9d2e6aedd
Instruction Fuzzy Hash: FB519030B04346DBDB349FA9D499FAEB3E5AF49310F20881FE586CB6D2DB7499809705

Function 000B365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 000B36B7
_memcpy_s.LIBCMT ref: 000B3729
__filbuf.LIBCMT ref: 000B37AA
_memset.LIBCMT ref: 000B37EE

Part of subcall function 000B7C0E: __getptd_noexit.LIBCMT ref: 000B7C0E

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: 7f6e3acc2fd7f12780c45329ebd5b9c1700680a9a1872ddb276937c0314c5ca4
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: A251ACB0A04705ABDB388FA988856EE7BE5AF40320F348729F825962D1DB719F548B40

Function 000FC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000FC544
ScreenToClient.USER32(?,00000002), ref: 000FC574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 000FC5DA

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 520e602f9b51c8bcd8109ef518a2448f0c696db0e96922232c308e274724a032
Instruction ID: 51e40da782a8616472a60c1d59e1e714944c61f8a6b4d210f1b398a6b686d61b
Opcode Fuzzy Hash: 520e602f9b51c8bcd8109ef518a2448f0c696db0e96922232c308e274724a032
Instruction Fuzzy Hash: 60516B7190060CEFDF14CF68C981EBE7BB6AB45720F108659FA259B690D770ED81DB90

Function 000CC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 000CC462
__itow.LIBCMT ref: 000CC49C

Part of subcall function 000CC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 000CC753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 000CC505
__itow.LIBCMT ref: 000CC55A

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 8f9a0eaefb9c467525be88840c22e675adddd292df415b94311166fc075531aa
Instruction ID: 0ea845aff45519e9cb99c6247f9705aaacc2323b33c609a1b8d4e1099dc7d241
Opcode Fuzzy Hash: 8f9a0eaefb9c467525be88840c22e675adddd292df415b94311166fc075531aa
Instruction Fuzzy Hash: A741B971A00608AFEF25DF54CC51FEE7BB9AF49700F00405DFA09A7292DB709A85DBA1

Function 000D390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 000D3966
SetKeyboardState.USER32(00000080,?,00000001), ref: 000D3982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 000D39EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 000D3A4D

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5d430374f60c8f00c1a2c2558ef3835e218cc0976e81e926b9f8b4f2463e2240
Instruction ID: 358e90cf90f9c517cd4b47a315968f476bfd9d88797a629fbeeab56f94cd6d7d
Opcode Fuzzy Hash: 5d430374f60c8f00c1a2c2558ef3835e218cc0976e81e926b9f8b4f2463e2240
Instruction Fuzzy Hash: 7141E270A04348AAEF708B689815BFDFBF9AB55310F04415BF4C1A63C1C7B48A85D776

Function 000FB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000FB5D1

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 31c5e65323d8ead173b8e8ae1e112b00782f9faea1835e307c5067a4b0f4dd5d
Instruction ID: 5eaca98bdf3d73e1ea6f68af03934d04eb1a22f329f9456733bd75c98b0c61f4
Opcode Fuzzy Hash: 31c5e65323d8ead173b8e8ae1e112b00782f9faea1835e307c5067a4b0f4dd5d
Instruction Fuzzy Hash: 7F31BE7460060CBBEF348B18CC85FFC37A5AB05B10F648501FB11D69E1CB38A980AE51

Function 000FD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 000FD807
GetWindowRect.USER32(?,?), ref: 000FD87D
PtInRect.USER32(?,?,000FED5A), ref: 000FD88D
MessageBeep.USER32(00000000), ref: 000FD8FE

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 7bce75dfdbc0382834f343cdf5faed8aa0fde5858d0558a4f1b0592629623725
Instruction ID: c4ac3d5fc8c4214e80a088a80d060523f4738878377870db49a9cbe9333ba4b6
Opcode Fuzzy Hash: 7bce75dfdbc0382834f343cdf5faed8aa0fde5858d0558a4f1b0592629623725
Instruction Fuzzy Hash: 9B419170A0021CEFCB12DF58D884BB97BF6FB45351F1881A6E6148BA51DB70E942DB50

Function 000D3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 000D3AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 000D3AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 000D3B34
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 000D3B92

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 49ffc76b0cd584b30aced9f219b22925c453dedb7676d900bf3cff0d0e46656e
Instruction ID: 8caf0d051c5e224bd12d7d8d90b132f1dfdc2d956222882fdddf6797854f4bb7
Opcode Fuzzy Hash: 49ffc76b0cd584b30aced9f219b22925c453dedb7676d900bf3cff0d0e46656e
Instruction Fuzzy Hash: 8D310230A00758AEEF749B648819BFE7BFA9B55320F04015BE681933D2C7748B85CB76

Function 000C4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000C4038
__isleadbyte_l.LIBCMT ref: 000C4066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 000C4094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 000C40CA

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4af6a9a211ff44b8a87c791c739fac07c8703c546ca768bb00224ad385d3d958
Instruction ID: a6d9ceeb3f33e4109f87547ff984919f92588f9a138ab2ae1c160ba0da201745
Opcode Fuzzy Hash: 4af6a9a211ff44b8a87c791c739fac07c8703c546ca768bb00224ad385d3d958
Instruction Fuzzy Hash: F731AB31640206EFDB219F64C858FAE7BE5BF40310F25842CEA658B1A1E731D890DB90

Function 000F7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000F7CB9

Part of subcall function 000D5F55: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000D5F6F
Part of subcall function 000D5F55: GetCurrentThreadId.KERNEL32 ref: 000D5F76
Part of subcall function 000D5F55: AttachThreadInput.USER32(00000000,?,000D781F), ref: 000D5F7D

GetCaretPos.USER32(?), ref: 000F7CCA
ClientToScreen.USER32(00000000,?), ref: 000F7D03
GetForegroundWindow.USER32 ref: 000F7D09

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 04f24abc6788b73a2f3a30f164a312bbc2c64fb54deacc4bdcc96c1ea70c9f8c
Instruction ID: 9d942f25fbe0ad88ecbfbc576b8fbfc06e869696d012c65852f02f4cdbedec7e
Opcode Fuzzy Hash: 04f24abc6788b73a2f3a30f164a312bbc2c64fb54deacc4bdcc96c1ea70c9f8c
Instruction Fuzzy Hash: 71312F72900108AFDB10EFA9DC459EFBBF9EF55314B10846AE815E7212EA319E45CBA0

Function 000E431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000E4358

Part of subcall function 000E43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000E4401
Part of subcall function 000E43E2: InternetCloseHandle.WININET(00000000), ref: 000E449E

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 3c3b39ab85e3c6f58f17dd9c91ea905f9c8936f7d7c28ddc0ca75af957fcf8fa
Instruction ID: 9f1ff1023bd34361365721d10a99ae5751b74b93cdc0b042e16e10fa9dea7ce9
Opcode Fuzzy Hash: 3c3b39ab85e3c6f58f17dd9c91ea905f9c8936f7d7c28ddc0ca75af957fcf8fa
Instruction Fuzzy Hash: B221F331600741BFEB259F72DC01FBBB7E9FF84714F10401AFA15A6A90DB7199209BA0

Function 000F8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 000F8AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 000F8AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 000F8ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 000F8ADC

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a686c13429698b5246fa8aeb4df6bdcb581b99759c425fb3f5688257a0a1c4c5
Instruction ID: 14d1b798c19b5351002d144d6bef4ddc015a496d92c320c616ad67af480d2db2
Opcode Fuzzy Hash: a686c13429698b5246fa8aeb4df6bdcb581b99759c425fb3f5688257a0a1c4c5
Instruction Fuzzy Hash: CE118E31345115AFEB18AB18DC09FFE7799EF85320F14815AF916C7AE2CB70AC409B96

Function 000E8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 000E8AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 000E8AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 000E8AFF
WSAGetLastError.WSOCK32(00000000), ref: 000E8B16

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: d29d27fc54eb8e7af0568812ef1f5d0bfbbb9f1be19e10e5c5823e6559774839
Instruction ID: b5d7f11ac65a2af4e6a31c1f4519e821f14047bbd4acd5bf95e1eaeb6c962456
Opcode Fuzzy Hash: d29d27fc54eb8e7af0568812ef1f5d0bfbbb9f1be19e10e5c5823e6559774839
Instruction Fuzzy Hash: 0021C672A001249FC7159F69D884ADE7BECEF4A310F00816AF849E7291DB7499808F90

Function 000D0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000D1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,000D0ABB,?,?,?,000D187A,00000000,000000EF,00000119,?,?), ref: 000D1E77
Part of subcall function 000D1E68: lstrcpyW.KERNEL32(00000000,?,?,000D0ABB,?,?,?,000D187A,00000000,000000EF,00000119,?,?,00000000), ref: 000D1E9D
Part of subcall function 000D1E68: lstrcmpiW.KERNEL32(00000000,?,000D0ABB,?,?,?,000D187A,00000000,000000EF,00000119,?,?), ref: 000D1ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,000D187A,00000000,000000EF,00000119,?,?,00000000), ref: 000D0AD4
lstrcpyW.KERNEL32(00000000,?,?,000D187A,00000000,000000EF,00000119,?,?,00000000), ref: 000D0AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,000D187A,00000000,000000EF,00000119,?,?,00000000), ref: 000D0B2E

Strings

cdecl, xrefs: 000D0B25

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d2456af5298b329ae53d7cfe7292788e7e1ea25abd9abb290c5ba6d090a89933
Instruction ID: 56c3b3898409b7f5a7d601c690ac0cc1abff4bed2776831f45077ad57b1909ea
Opcode Fuzzy Hash: d2456af5298b329ae53d7cfe7292788e7e1ea25abd9abb290c5ba6d090a89933
Instruction Fuzzy Hash: 2A118136204305AFDB25AF74DC45EBA77E8FF45364F80806BE80ACB251EB719851C7A1

Function 000C2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000C2FB5

Part of subcall function 000B395C: __FF_MSGBANNER.LIBCMT ref: 000B3973
Part of subcall function 000B395C: __NMSG_WRITE.LIBCMT ref: 000B397A
Part of subcall function 000B395C: RtlAllocateHeap.NTDLL(00DF0000,00000000,00000001,00000001,00000000,?,?,000AF507,?,0000000E), ref: 000B399F

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 996477c2b368b445264eafa907f7a8b09914350daa70815bf7adda2b1cfb994d
Instruction ID: ebfdb67c5a3aeee85b1fceefb7f3a8cb049c37b0f61cca3bd3d8233dadeed795
Opcode Fuzzy Hash: 996477c2b368b445264eafa907f7a8b09914350daa70815bf7adda2b1cfb994d
Instruction Fuzzy Hash: C7119132519216ABDB363BB0A815BEE3BE4AB54360F20853DF85D9A552DB30C9819A90

Function 000D058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 000D05AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000D05C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000D05DD
FreeLibrary.KERNEL32(?), ref: 000D0632

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 6378f9d910ab0a0de1c86216aa00d69c1eba3017f19c958d4021766c799af0dd
Instruction ID: eb70fcbaa5858354716b017814f06a22a2a173c8ffd27b7580af9dcbc2db649c
Opcode Fuzzy Hash: 6378f9d910ab0a0de1c86216aa00d69c1eba3017f19c958d4021766c799af0dd
Instruction Fuzzy Hash: DE218E71900319EFDB20DFA1ED88BDABBB8EF40700F00846AE91A96650D770EA55DF61

Function 000D6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 000D6733
_memset.LIBCMT ref: 000D6754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 000D67A6
CloseHandle.KERNEL32(00000000), ref: 000D67AF

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: c4df773e8a4c2deed1ee15ba46037147b15b024665e736e8869e65db3693d007
Instruction ID: 7a9810c0c75e560b4df7f41ae1b91de90835bdfc4c6491ae49729dbc5c33adfb
Opcode Fuzzy Hash: c4df773e8a4c2deed1ee15ba46037147b15b024665e736e8869e65db3693d007
Instruction Fuzzy Hash: 6111A7759012287AE72057A5AC4DFEBBABCEF44764F10419AF504E71D0D6745E808B74

Function 000CB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000CAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000CAA79
Part of subcall function 000CAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000CAA83
Part of subcall function 000CAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000CAA92
Part of subcall function 000CAA62: RtlAllocateHeap.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000CAA99
Part of subcall function 000CAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000CAAAF

GetLengthSid.ADVAPI32(?,00000000,000CADE4,?,?), ref: 000CB21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 000CB227
RtlAllocateHeap.KERNEL32(00000000), ref: 000CB22E
CopySid.ADVAPI32(?,00000000,?), ref: 000CB247

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Heap$AllocateInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 259861997-0
Opcode ID: cd62aba498782ca41ce73c720f367c642534cddf5f0f91ca7e1982aa0c49ff91
Instruction ID: 5edc8e799a45a88b39b32c6ce61b0cd685b1d0e4438b644d41d025d53b856243
Opcode Fuzzy Hash: cd62aba498782ca41ce73c720f367c642534cddf5f0f91ca7e1982aa0c49ff91
Instruction Fuzzy Hash: 92114F71A00209BFDB149F98DD86FAEB7A9EF85318F14802DE94297211D775AE84DB10

Function 000CB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 000CB498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000CB4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000CB4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000CB4DB

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4b3c03d86f8cce270852225a9020d5ac318ac377945841fe7d412ba856f3fbb7
Instruction ID: 4b3986e61dae61649398e50cad6d41ef8dc3b96c0ff585bd6e6f9118fcef4e6f
Opcode Fuzzy Hash: 4b3c03d86f8cce270852225a9020d5ac318ac377945841fe7d412ba856f3fbb7
Instruction Fuzzy Hash: 4A11457A900218FFEB11DFA8C981F9DBBB8FB08700F204095EA04B7291D771AE10DB94

Function 000D732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000D7352
MessageBoxW.USER32(?,?,?,?), ref: 000D7385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 000D739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000D73A2

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 8ef92eb1b0766c54306406a8e1d26534aec024063f4883f82ee3a4f40a2cd127
Instruction ID: fb535c2094aabf7b0bba5d664f1767844a0eb375e68ec3a0047c11b1ef1eadc1
Opcode Fuzzy Hash: 8ef92eb1b0766c54306406a8e1d26534aec024063f4883f82ee3a4f40a2cd127
Instruction Fuzzy Hash: 2D11E1B2A04314ABC7059BA8EC0AADE7BE9AB44351F044216F935D33A1E6708E4087B1

Function 000AD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000AD1BA
GetStockObject.GDI32(00000011), ref: 000AD1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 000AD1D8

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 73229995f12064fcc90d606911a450215bed71604cd6f03470e23c6fdaab70ea
Instruction ID: 094d343bb12c7d5c0a2aba44d33f83494e391c02cc02f8649452a65b0a9bc24c
Opcode Fuzzy Hash: 73229995f12064fcc90d606911a450215bed71604cd6f03470e23c6fdaab70ea
Instruction Fuzzy Hash: 2F11C072101509BFEF164FA0DC50EEABBAAFF0A364F044102FA0652450DB31DDA0DBA0

Function 000D3F9B Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,000D2B1B,?,000D3B9F,?,00008000), ref: 000D3FB8
Sleep.KERNEL32(00000000,?,?,?,?,?,?,000D2B1B,?,000D3B9F,?,00008000), ref: 000D3FDD
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,000D2B1B,?,000D3B9F,?,00008000), ref: 000D3FE7
Sleep.KERNEL32(?,?,?,?,?,?,?,000D2B1B,?,000D3B9F,?,00008000), ref: 000D401A

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 919e6af36fa1fdbfe5f10d0acec2f4724e781c30d798930345a5c1594669d993
Instruction ID: 9c47f0923db64a460c25d3fa4c877ba36a49867839eb6baf0a727fc99f60bb5c
Opcode Fuzzy Hash: 919e6af36fa1fdbfe5f10d0acec2f4724e781c30d798930345a5c1594669d993
Instruction Fuzzy Hash: 34110A71D00729EBCF049FA4E9486EEBF74BB09711F014056DA41B6280CB3096908BA6

Function 000C4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 000C4E16

Part of subcall function 000C54F5: __fltout2.LIBCMT ref: 000C551E

__cftog_l.LIBCMT ref: 000C4E3C
__cftoe_l.LIBCMT ref: 000C4E6E

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: d8acb36d4ec569d9999795ee7f820a7182c6fffc162984203ed274457a94af38
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 6201483600014ABBCF625F84DC21DEE3F66BB18355B5A8559FA2859031D336DAB2AB81

Function 000B7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 000B7AD8

Part of subcall function 000B7CF4: __mtinitlocknum.LIBCMT ref: 000B7D06
Part of subcall function 000B7CF4: RtlEnterCriticalSection.KERNEL32(00000000,?,000B7ADD,0000000D), ref: 000B7D1F

InterlockedIncrement.KERNEL32(?), ref: 000B7AE5
__lock.LIBCMT ref: 000B7AF9
___addlocaleref.LIBCMT ref: 000B7B17

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: 65fded78f91e0bec371ef5fb56544fe49eabf27b36b945bfa8dc78feaf5ffc73
Instruction ID: d5fa7facdb2e2cf359b53b6adc45c88f37b9414745cc1afb60479efa1b62622c
Opcode Fuzzy Hash: 65fded78f91e0bec371ef5fb56544fe49eabf27b36b945bfa8dc78feaf5ffc73
Instruction Fuzzy Hash: 82015B71444B009ED7209F65D905BCABBF0EF40325F20890EE49A966A1CB74A684CF05

Function 000FE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000FE33D
_memset.LIBCMT ref: 000FE34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00153D00,00153D44), ref: 000FE37B
CloseHandle.KERNEL32 ref: 000FE38D

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 5cf9036d5840884eff850e155cc6d6a2d0c3867c299363430c55697dad898f1a
Instruction ID: 495476394ff3f708cba1db5de76c16b6d4ce1c8d9f06bffe6650978070e9f305
Opcode Fuzzy Hash: 5cf9036d5840884eff850e155cc6d6a2d0c3867c299363430c55697dad898f1a
Instruction Fuzzy Hash: 28F05EF1540304FAE2101BA0AC49FF77E7CDB04795F404421BE28EB5A2E3B59E5086A8

Function 000FEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000AAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 000AAFE3
Part of subcall function 000AAF83: SelectObject.GDI32(?,00000000), ref: 000AAFF2
Part of subcall function 000AAF83: BeginPath.GDI32(?), ref: 000AB009
Part of subcall function 000AAF83: SelectObject.GDI32(?,00000000), ref: 000AB033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000FEA8E
LineTo.GDI32(00000000,?,?), ref: 000FEA9B
EndPath.GDI32(00000000), ref: 000FEAAB
StrokePath.GDI32(00000000), ref: 000FEAB9

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 4324907583b795a67789d037cd41f6bc45d19926582e05aa793442f6178e8b41
Instruction ID: eea4814ed949fc0763997baf4e124f7e3be78ddda48898829ff029c711b96d66
Opcode Fuzzy Hash: 4324907583b795a67789d037cd41f6bc45d19926582e05aa793442f6178e8b41
Instruction Fuzzy Hash: 23F05E31005259BBDB169F94AD09FCE3F59AF0A311F148201FA11654E1C7B896A1DB96

Function 000CC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 000CC84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 000CC85D
GetCurrentThreadId.KERNEL32 ref: 000CC864
AttachThreadInput.USER32(00000000), ref: 000CC86B

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: a9c891479f49086e713c50e29ab172bd7819813bd402a02bc94bd1b5e85230bd
Instruction ID: 1dda656a7be03f311a3d94d90475648af62a6607d7ef548f1c0903f9af1ff10d
Opcode Fuzzy Hash: a9c891479f49086e713c50e29ab172bd7819813bd402a02bc94bd1b5e85230bd
Instruction Fuzzy Hash: 82E0C971541228BAEB205BA2ED0DFDB7F5CEF167A1F408025F60D95860CBB58585DBE0

Function 000CB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000CB0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,000CAC9D), ref: 000CB0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000CAC9D), ref: 000CB0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,000CAC9D), ref: 000CB0F1

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 1a076a200d0c3a5d49037cb7eb3a5bece37131d32671546c3665915ecc4ac1b5
Instruction ID: 637421fc4e6fbd5e6d3529422f11a6b982d9fe85a80b86325a62f72c711d1a5c
Opcode Fuzzy Hash: 1a076a200d0c3a5d49037cb7eb3a5bece37131d32671546c3665915ecc4ac1b5
Instruction Fuzzy Hash: C1E08672601221ABD7605FB26E0DFDB3BE8EF55791F11C818F241D6040DB348481C761

Function 000AB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000AB496
SetTextColor.GDI32(?,000000FF), ref: 000AB4A0
SetBkMode.GDI32(?,00000001), ref: 000AB4B5
GetStockObject.GDI32(00000005), ref: 000AB4BD
GetWindowDC.USER32(?,00000000), ref: 0010DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0010DE38
GetPixel.GDI32(00000000,?,00000000), ref: 0010DE51
GetPixel.GDI32(00000000,00000000,?), ref: 0010DE6A
GetPixel.GDI32(00000000,?,?), ref: 0010DE8A
ReleaseDC.USER32(?,00000000), ref: 0010DE95

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 5ad1f1235c2da16c7247ba5c3631fe162592e1941b801cf825493134a476e02e
Instruction ID: 1cb2b74871d629f43c83a1991ea51ae70377e4a34eae346028dbd3fd7b68895c
Opcode Fuzzy Hash: 5ad1f1235c2da16c7247ba5c3631fe162592e1941b801cf825493134a476e02e
Instruction Fuzzy Hash: 2DE0ED31100240BADB256BB8FD09BD83B11AB56335F14C666F6A9584E2C7B18581DB11

Function 0010B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0010B29A
GetDC.USER32(00000000), ref: 0010B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0010B2C3
ReleaseDC.USER32 ref: 0010B2E2

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e71922ec703c1cb01845e99a3edb2a1a5223752300612f0b003322a045b4ea85
Instruction ID: 5bf3b69bfc4379e13e4a4d441347d50ad7d1fd61222289a5a6051d50ca5d838e
Opcode Fuzzy Hash: e71922ec703c1cb01845e99a3edb2a1a5223752300612f0b003322a045b4ea85
Instruction Fuzzy Hash: 8BE0BFB1500204EFDB055FB0E9486AE7BA5EB4C351F11C81AFD5A87651DB749881DB50

Function 000CB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000CB2DF
743B5030.USERENV(?,?), ref: 000CB2EB
CloseHandle.KERNEL32(?), ref: 000CB2F4
CloseHandle.KERNEL32(?), ref: 000CB2FC

Part of subcall function 000CAB24: GetProcessHeap.KERNEL32(00000000,?,000CA848), ref: 000CAB2B
Part of subcall function 000CAB24: HeapFree.KERNEL32(00000000), ref: 000CAB32

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CloseHandleHeap$B5030FreeObjectProcessSingleWait
String ID:
API String ID: 562567718-0
Opcode ID: 4ce4496b72e734805288a0b6e1d56c4905520b6540cd4f802a438eed4e1b6314
Instruction ID: bec9d452054941aea48726628e5928565b54cb7faa260ed5cc76980a57f94dea
Opcode Fuzzy Hash: 4ce4496b72e734805288a0b6e1d56c4905520b6540cd4f802a438eed4e1b6314
Instruction Fuzzy Hash: 9CE0B67A104105BBCB052BA5ED08899FBB6FF89321310C221F625819B1CB32A8B1EB91

Function 0010B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0010B2AE
GetDC.USER32(00000000), ref: 0010B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0010B2C3
ReleaseDC.USER32 ref: 0010B2E2

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: bdcb6753113194d3a845937c52982d26f20c3636f91716f8b9ab6bbbdca083d8
Instruction ID: 4465f1473e6cb7559aef47b19c200f804be39072598b6fdccf3fab8c51305ae4
Opcode Fuzzy Hash: bdcb6753113194d3a845937c52982d26f20c3636f91716f8b9ab6bbbdca083d8
Instruction Fuzzy Hash: 2DE046B1500200EFDB045FB0E9486AD7BA8EB4C360F11C81AF95A8BA21DB789880CB00

Function 000CDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 000CDEAA

Strings

Container, xrefs: 000CDE29
AutoIt3GUI, xrefs: 000CDE22

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 30e978d15ec15b56c652ea179d2a516f7f80308afdab4281d5c32ea30d638aa8
Instruction ID: ba38bb54d563fcbd161da318d12aefa8f135b567ea5de3b99d18f64bcca28d73
Opcode Fuzzy Hash: 30e978d15ec15b56c652ea179d2a516f7f80308afdab4281d5c32ea30d638aa8
Instruction Fuzzy Hash: 3C912670600701AFDB64DF64C884FAABBF5BF49710B10856EF84ADB691DB71E841CB60

Function 000DDE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 000AC6F4: _wcscpy.LIBCMT ref: 000AC717

Part of subcall function 0009936C: __swprintf.LIBCMT ref: 000993AB
Part of subcall function 0009936C: __itow.LIBCMT ref: 000993DF

__wcsnicmp.LIBCMT ref: 000DDEFD
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 000DDFC6

Strings

LPT, xrefs: 000DDEF7

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 10955b00a42b1e452353592f7907dd875c19109636be1697adc291f590621f28
Instruction ID: aeaaf4fccc2930314bbe0bac0e530fdfb6f2b5511b3b5c5912f9faa32c8068f3
Opcode Fuzzy Hash: 10955b00a42b1e452353592f7907dd875c19109636be1697adc291f590621f28
Instruction Fuzzy Hash: DE618375A00215AFCB14EF98C895EEEB7F5EF08310F11406AF546AB391D770AE80CBA0

Function 000ABCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 000ABCDA
GlobalMemoryStatusEx.KERNEL32 ref: 000ABCF3

Strings

@, xrefs: 000ABCE8

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 1fd5f1711b1801bb98cdc2a2ba254d43d02420d6648c97063c19743dcd0eae93
Instruction ID: cf4c3bc5306d9860b38e58b0b7d89049ceb06f3e09756b3409e6a7017b95f8f0
Opcode Fuzzy Hash: 1fd5f1711b1801bb98cdc2a2ba254d43d02420d6648c97063c19743dcd0eae93
Instruction Fuzzy Hash: B7512771408744ABE320AF58DC86BEFBBE8FF96364F41485DF5C8410A6EB7085A8C756

Function 000DC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 000944ED: __fread_nolock.LIBCMT ref: 0009450B

_wcscmp.LIBCMT ref: 000DC65D
_wcscmp.LIBCMT ref: 000DC670

Strings

FILE, xrefs: 000DC5A5

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 3b1f7fae5c0b2972fba104549edf6dc583a4c5df3d3c989edb4aea1f75106751
Instruction ID: 056c9a87378882efc06a8955d3a42d526adb28ab8baddedfd2d1fc6f9a4748ba
Opcode Fuzzy Hash: 3b1f7fae5c0b2972fba104549edf6dc583a4c5df3d3c989edb4aea1f75106751
Instruction Fuzzy Hash: DD41B372A0020ABADF219BA4DC41FEF77B9AF49714F01046AF605EB282D7719A05DB61

Function 000FA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 000FA85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000FA86F

Strings

', xrefs: 000FA7C3

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 17411b38c1d6a180c0e67b2eda06493a544ab2e2877e1633fce4ac7ed868ff3c
Instruction ID: a17417c5291463b37fbac422acbbe991e33563492f975e047e811914bc00c026
Opcode Fuzzy Hash: 17411b38c1d6a180c0e67b2eda06493a544ab2e2877e1633fce4ac7ed868ff3c
Instruction Fuzzy Hash: 0A410BB4E003099FDB54DF64C880BEA7BF5FB09340F14006AEA09AB741D771A942DF91

Function 000E5180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000E5190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 000E51C6

Strings

|, xrefs: 000E51B5

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: fd21cb0fd899c59a25ec3c65354b8053fd3966fa89264e0cdb5f92b40a3a4f8c
Instruction ID: bdea548e6fc6dbd9c371d96e4f3272d5272765d7aa881b7c5fce6564c629402c
Opcode Fuzzy Hash: fd21cb0fd899c59a25ec3c65354b8053fd3966fa89264e0cdb5f92b40a3a4f8c
Instruction Fuzzy Hash: 61313771C00109AFDF15AFA5CC85EEEBFB9FF18704F004019E905A6166EB31AA06DBA0

Function 000F975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 000F980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 000F984A

Strings

static, xrefs: 000F97AA

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 9890007d9bad6fa50db61cfe7cfaedfe4470015e6d6ce8141cc359c1df474d32
Instruction ID: e48057532832e713c9e160fa24b586fced08e16c535a6835b6fab4312c8269f7
Opcode Fuzzy Hash: 9890007d9bad6fa50db61cfe7cfaedfe4470015e6d6ce8141cc359c1df474d32
Instruction Fuzzy Hash: 6B317E71110608AAEB109F74CC80BFB73A9FF59760F108619F9A9C7591DA31AC82DB60

Function 000D5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D51C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000D5201

Strings

0, xrefs: 000D51BF

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 1eaf84281a0cc706c01ef2433a6a6259c0c0337c8f6130a56bffcde4648d4bb0
Instruction ID: 8d37fe5eb7f61ef42a7256da9ced37529f5041b0f3a4c74b0756cdb1898cddc6
Opcode Fuzzy Hash: 1eaf84281a0cc706c01ef2433a6a6259c0c0337c8f6130a56bffcde4648d4bb0
Instruction Fuzzy Hash: 9531D531600705ABEB65CF99DC45BFEBBF4BF46351F14401AED91A62A0E7709A48CB20

Function 000E658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 000E6608

Strings

, $, xrefs: 000E6648
AUTOITCALLVARIABLE%d, xrefs: 000E65FA

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 91f087bd4bbba636ecef7ca05f32161b538640a1716b7b4bbfbdf822dbdebcc5
Instruction ID: 389abe234db20e7f66d497e86cf82e81fad18eac1e6e8c763403356bdde519e7
Opcode Fuzzy Hash: 91f087bd4bbba636ecef7ca05f32161b538640a1716b7b4bbfbdf822dbdebcc5
Instruction Fuzzy Hash: 3B21DD71A00218AFCF15EFA5DC82EEE73B4AF14380F000069F115BB192DB71EA05DBA1

Function 000F93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000F945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000F9467

Strings

Combobox, xrefs: 000F9429

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6dd94a626502080e2bbd4b0c7eb9a0df83b8ca0c0bec8324b3b44b73ab99138c
Instruction ID: 8f88470c1b04fd236d4df12a9eb1bfe8160ccb006fa7482637c157ee6b3b4a48
Opcode Fuzzy Hash: 6dd94a626502080e2bbd4b0c7eb9a0df83b8ca0c0bec8324b3b44b73ab99138c
Instruction Fuzzy Hash: 9B11907120020CAFEF659E54DC80FBB37AAEB983A4F104125FA19976A0D671AC529760

Function 000F98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 000AD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000AD1BA
Part of subcall function 000AD17C: GetStockObject.GDI32(00000011), ref: 000AD1CE
Part of subcall function 000AD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 000AD1D8

GetWindowRect.USER32(00000000,?), ref: 000F9968
GetSysColor.USER32(00000012), ref: 000F9982

Strings

static, xrefs: 000F9945

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 842e4f80a97644f3222f62e1b55534d5e342f1ff1daee1c8c7c5ee6f1985f38f
Instruction ID: 09fbe8678fce848b722baee76efdaae80f7ca49d3a9f16b9cd74f6f1dffaff53
Opcode Fuzzy Hash: 842e4f80a97644f3222f62e1b55534d5e342f1ff1daee1c8c7c5ee6f1985f38f
Instruction Fuzzy Hash: 5C11267252020AAFDB05DFB8CC45AFA7BA8FB08344F054629FA56E3650E774E851DB60

Function 000F9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 000F9699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 000F96A8

Strings

edit, xrefs: 000F967D

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ec4d661162354f9c54e9b4a8a309b7dd61639aff078aa5be762af07b86af7d24
Instruction ID: a8aaa4e571c12d9c35cba26bf2569c46295ff17e6371919f931810b43ba08ab5
Opcode Fuzzy Hash: ec4d661162354f9c54e9b4a8a309b7dd61639aff078aa5be762af07b86af7d24
Instruction Fuzzy Hash: 08116A71100208AAEF619FA4EC40FFB3BAAEB05368F504314FA65D79E0C7759C91AB60

Function 000D5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D52D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 000D52F4

Strings

0, xrefs: 000D52CE

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: cbab51a32c16d75fb17f1dcf74f26d13df3c13ed8f418b36cea1836032890e2d
Instruction ID: b313cc12111c474bda463379bcd2703fd44427fbf7cf3489abbd8eedb36411ce
Opcode Fuzzy Hash: cbab51a32c16d75fb17f1dcf74f26d13df3c13ed8f418b36cea1836032890e2d
Instruction Fuzzy Hash: 5011BE76901714EBDB61DE9CDD05BAD77E8AB06792F040026ED11AB3D0D3B0AE08CBB0

Function 000E4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000E4DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000E4E1E

Strings

<local>, xrefs: 000E4DE6

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: b4706f753ac3f5dc09b8fa04bddc81de0f8af44d8c86b4adceaf5f37494cf021
Instruction ID: 1804e87061e57c354abb930d1b4016e3915526b098ffbd3ee590ef682b7b24bf
Opcode Fuzzy Hash: b4706f753ac3f5dc09b8fa04bddc81de0f8af44d8c86b4adceaf5f37494cf021
Instruction Fuzzy Hash: D7119E70605261BEDB258F528C88EEBFAA8FB06754F10822AF51566540D3B06984C6E0

Function 000EA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 000EA84E
htons.WSOCK32(00000000,?,00000000), ref: 000EA88B

Strings

255.255.255.255, xrefs: 000EA866

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 29ca2bc5ecb1a4ff9acbe51cb3326b5bcfdfb3b05814d260e071a2060c964f35
Instruction ID: e8f3a80569e22f9f2b81f5db6d0c352f028a05574480d7455ec3549a55acb79d
Opcode Fuzzy Hash: 29ca2bc5ecb1a4ff9acbe51cb3326b5bcfdfb3b05814d260e071a2060c964f35
Instruction Fuzzy Hash: 0D012635300344AFCB219F64C946FEEB364EF49314F10842AF515A72D2DB31E801C752

Function 00096430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00093DEE,00151148,?,?,?,?,?,00093AA3,?), ref: 00096471
_wcscat.LIBCMT ref: 00105DDB

Strings

`, xrefs: 000964B2

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: FullNamePath_wcscat
String ID: `
API String ID: 2109976907-4168407445
Opcode ID: 67791480f996a579b618b97b382da38786146721e08932dbc8e4e14e5ae805e8
Instruction ID: 2a9c12fa79f638f5cd8dec9ebf9d4313319e680e11cc57d6132b1c68a2f6cc97
Opcode Fuzzy Hash: 67791480f996a579b618b97b382da38786146721e08932dbc8e4e14e5ae805e8
Instruction Fuzzy Hash: 7D11C431505109ABCF01EBE8DA41FCD73F9AF08340F104166B989E7282DB719788AB22

Function 000CB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000CB7EF

Strings

ListBox, xrefs: 000CB7B9
ComboBox, xrefs: 000CB78B

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 959d82c0caa4b8fc377572f6383e6f9d1350f3fc993bf38d27f27e3d330f8f77
Instruction ID: 4a254ef222879a2aac1684cbb4dcfdea71c4b23a0a315c9b7e21f5103aa388af
Opcode Fuzzy Hash: 959d82c0caa4b8fc377572f6383e6f9d1350f3fc993bf38d27f27e3d330f8f77
Instruction Fuzzy Hash: 4D01D471A41114ABDB04EBA4DC53EFE33A9BF45350B14061DF862672D2EF70590CD790

Function 000CB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 000CB6EB

Strings

ListBox, xrefs: 000CB6B5
ComboBox, xrefs: 000CB687

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: bd056d4d6f4a6daa29f97365fee78271eabd88a5f9c4e86bd9f335407bc99749
Instruction ID: b001f1fce0801092a3bf4e22664d2ecff243e5540db952467b9ffb1a4d68d450
Opcode Fuzzy Hash: bd056d4d6f4a6daa29f97365fee78271eabd88a5f9c4e86bd9f335407bc99749
Instruction Fuzzy Hash: 6E01A275A41004ABDB14EBA4D953FFE73A89F05340F14002DB402B3292EB649E1897B5

Function 000CB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 000CB76C

Strings

ListBox, xrefs: 000CB738
ComboBox, xrefs: 000CB70A

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 7df57a32bf9d3b77885590d31d504dea945b79c11a7dfac5accb74d5b7513e68
Instruction ID: 0f353c1274917a393c90d91cd59b51311fd81d08b85abb8e0fa3f7f7b646d0dc
Opcode Fuzzy Hash: 7df57a32bf9d3b77885590d31d504dea945b79c11a7dfac5accb74d5b7513e68
Instruction Fuzzy Hash: A501D176A41104BBDB15EBA4CA13FFE73AC9F05340F54012EB802B31A3EB609E1997B5

Function 00094024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00090000,00000063,00000001,00000010,00000010,00000000), ref: 00094048
EnumResourceNamesW.KERNEL32(00000000,0000000E,000D67E9,00000063,00000000,77080280,?,?,00093EE1,?,?,000000FF), ref: 001041B3

Strings

>, xrefs: 00094028

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >
API String ID: 1578290342-3693623109
Opcode ID: c89299697f5ea86200f7fd1f29f546b758d998fd3533832b407823ba75fb056b
Instruction ID: d1a42b8c17e8d71997da71e8bfb6b54ab936fbf98017eab6c7def82d993ca207
Opcode Fuzzy Hash: c89299697f5ea86200f7fd1f29f546b758d998fd3533832b407823ba75fb056b
Instruction Fuzzy Hash: 9EF06D71740314B7E6204B2ABC8AFD63AA9A744BB6F100506F324AE5E0E2F194C09AA0

Function 000D7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000D7762
_wcscmp.LIBCMT ref: 000D7774

Strings

#32770, xrefs: 000D776E

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 43d874289aaa845f0d3565df005282dc0c56e04bf1cbdd0cef51c98b95106f58
Instruction ID: bb447af2623223f8964cffd8a3d52e3ee4c0ed86b02703ac5f784ae60e485093
Opcode Fuzzy Hash: 43d874289aaa845f0d3565df005282dc0c56e04bf1cbdd0cef51c98b95106f58
Instruction Fuzzy Hash: 35E0D87760432567D720EAA5EC09EC7FBACEB51760F010056F915D3141E670E745C7E0

Function 000CA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000CA63F

Part of subcall function 000B13F1: _doexit.LIBCMT ref: 000B13FB

Strings

AutoIt, xrefs: 000CA633
Error allocating memory., xrefs: 000CA638

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 0a8b71fcea218edb6fd6c15d0e67e9ad61edaea01f76d4dbb83e60bf4894b54b
Instruction ID: 5f886ca5ea04823d28b52fb4576ce4884512bc2fcc1b070edc421d2d0fc257f6
Opcode Fuzzy Hash: 0a8b71fcea218edb6fd6c15d0e67e9ad61edaea01f76d4dbb83e60bf4894b54b
Instruction Fuzzy Hash: 19D02B313C033833D21437E97C17FC876888B16B55F044015FB08954C34AF2868042D9

Function 0010AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0010ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0010AEBD

Strings

WIN_XPe, xrefs: 0010ACD3

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: bae63cc73ec386024ce61964d6c71175f2b6ad1aaeafc39e386203c900eeed46
Instruction ID: 89af6ef26a5aa9317822f5dfc8bfce5f7f8c59fee9eb45b479e3ff348b8ecf06
Opcode Fuzzy Hash: bae63cc73ec386024ce61964d6c71175f2b6ad1aaeafc39e386203c900eeed46
Instruction Fuzzy Hash: ACE06D71C0064DEFDB15DBA5EA849EDB7B8AF48301F518082E052B25A0CBB04A84DF22

Function 000F8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000F86A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 000F86B5

Part of subcall function 000D7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000D7AD0

Strings

Shell_TrayWnd, xrefs: 000F869B

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d4bf942475d0d2985daff7b8c19b9cf16b97fe2893368e658534bac9016a687c
Instruction ID: 5ad6cf7d3f69e2af5cf951c5651dbbe0a958ccd7dc2d77a778132fc6ab8448e1
Opcode Fuzzy Hash: d4bf942475d0d2985daff7b8c19b9cf16b97fe2893368e658534bac9016a687c
Instruction Fuzzy Hash: D1D01231384324B7E2686770AD0BFC67A289B44B21F114915B749AE1D1D9E4E980C764

Function 000F86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000F86E2
PostMessageW.USER32(00000000), ref: 000F86E9

Part of subcall function 000D7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 000D7AD0

Strings

Shell_TrayWnd, xrefs: 000F86DB

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0f04416e083465dac411b9e2e66eb8fec8de7413984ca9df398d285a7e9cb12b
Instruction ID: 624c9ad408f097059b65111b06908d936d9b80ea057bc39798cd7c22919a880d
Opcode Fuzzy Hash: 0f04416e083465dac411b9e2e66eb8fec8de7413984ca9df398d285a7e9cb12b
Instruction Fuzzy Hash: 5CD022313803247BF2686330AC0BFC63A289B04B21F004805B309EE1D0C9E4E980C724

Function 000DC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 000DC72F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 000DC746

Strings

aut, xrefs: 000DC740

Memory Dump Source

Source File: 00000003.00000002.2537175657.0000000000091000.00000020.00000001.01000000.00000004.sdmp, Offset: 00090000, based on PE: true

Associated: 00000003.00000002.2537101897.0000000000090000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000011D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537289951.000000000013E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537376780.000000000014A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.2537410471.0000000000154000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_90000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: fecafeabf8d092435f63a1267bbc6768d473b38a00bc428e85862a92c4fce6b2
Instruction ID: a6275f17e6d9bb6b43496d7fc8cc3c2883807aa08af6b9b012b4afd3d38983b2
Opcode Fuzzy Hash: fecafeabf8d092435f63a1267bbc6768d473b38a00bc428e85862a92c4fce6b2
Instruction Fuzzy Hash: C8D05E7550030EBBDB10AB90ED0EFCA776C9704708F0041A07660A50B1DBB4E6D98B54

Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.218.37
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.218.37
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.218.37
Source: unknown	TCP traffic detected without corresponding DNS query: 46.183.218.37

Source: file.exe, 00000003.00000002.2537954444.0000000000E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://46.183.218.37/
Source: file.exe, 00000003.00000003.1803668616.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2538244077.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.2403832167.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1483001479.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.2403629641.0000000000E8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.2538171597.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://46.183.218.37/community/wiki-self-signed/name-signed.php

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
file.exe

Function 00093D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowCOMMON

Function 00093742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Function 000ADDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0009406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 000D6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178
COMMON

Function 00093F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Function 00093E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 00092322 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 159
COMMON

Function 000949FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 000936B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 000951AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 000DDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72
COMMON

Function 00094139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258
COMMON

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre