Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1523651
MD5:	e8f25456a80317e47af911934a95c228
SHA1:	7b1307f3c0eac0c0fe3d124e4054973950a7053b
SHA256:	338b3da95992f048d48258ef58d9772a76f7c6f736de160b5b667f7e758ae571
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 2700 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E8F25456A80317E47AF911934A95C228)

chrome.exe (PID: 3408 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6528 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1976,i,7912777509037811501,8680786608040553108,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 2700	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_005FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_005FEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_005FED6A

Source: C:\Users\user\Desktop\file.exe

0_2_005FEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005EAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_005EAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00619576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00619576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2003531896.0000000000642000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ed2ca446-4
Source: file.exe, 00000000.00000000.2003531896.0000000000642000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cfa45b6f-a
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0f8bc560-0
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9c7daafb-f

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005ED5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_005ED5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_005E1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_005EE8F6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\manifest.fingerprint	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_3408_1290446791

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0058BF40	0_2_0058BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F2046	0_2_005F2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00588060	0_2_00588060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E8298	0_2_005E8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005BE4FF	0_2_005BE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B676B	0_2_005B676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00614873	0_2_00614873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0058CAF0	0_2_0058CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005ACAA0	0_2_005ACAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059CC39	0_2_0059CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B6DD9	0_2_005B6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059B119	0_2_0059B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005891C0	0_2_005891C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A1394	0_2_005A1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A1706	0_2_005A1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A781B	0_2_005A781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059997D	0_2_0059997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00587920	0_2_00587920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A19B0	0_2_005A19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A7A4A	0_2_005A7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A1C77	0_2_005A1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A7CA7	0_2_005A7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060BE44	0_2_0060BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B9EEE	0_2_005B9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A1F32	0_2_005A1F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0059F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 005A0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00589CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.troj.evad.winEXE@27/19@6/5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F37B5 GetLastError,FormatMessageW,

0_2_005F37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E10BF AdjustTokenPrivileges,CloseHandle,		0_2_005E10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005E16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005F51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005ED4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_005ED4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_005F648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005842A2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1976,i,7912777509037811501,8680786608040553108,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1976,i,7912777509037811501,8680786608040553108,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Google Drive.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005842DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A0A76 push ecx; ret

0_2_005A0A89

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0059F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00611C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00611C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96913

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.1 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_005EDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005BC2A2 FindFirstFileExW,	0_2_005BC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F68EE FindFirstFileW,FindClose,	0_2_005F68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_005F698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005ED076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005ED3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005F9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005F979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_005F9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_005F5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005842DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005FEAA2 BlockInput,

0_2_005FEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_005B2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005842DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A4CE8 mov eax, dword ptr fs:[00000030h]

0_2_005A4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_005E0B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005B2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005A083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A09D5 SetUnhandledExceptionFilter,	0_2_005A09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_005A0C21

Source: C:\Users\user\Desktop\file.exe

0_2_005E1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005C2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_005C2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005EB226 SendInput,keybd_event,

0_2_005EB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_006022DA

Source: C:\Users\user\Desktop\file.exe

0_2_005E0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005E1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_005E1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A0698 cpuid

0_2_005A0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_005F8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005DD27A GetUserNameW,

0_2_005DD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005BB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_005BB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005842DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 2700, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 2700, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00601204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00601204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00601806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00601806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 File Deletion	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	11 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://wieistmeineip.de	0%	URL Reputation	safe
https://mercadoshops.com.co	0%	URL Reputation	safe
https://gliadomain.com	0%	URL Reputation	safe
https://poalim.xyz	0%	URL Reputation	safe
https://mercadolivre.com	0%	URL Reputation	safe
https://reshim.org	0%	URL Reputation	safe
https://nourishingpursuits.com	0%	URL Reputation	safe
https://medonet.pl	0%	URL Reputation	safe
https://unotv.com	0%	URL Reputation	safe
https://mercadoshops.com.br	0%	URL Reputation	safe
https://zdrowietvn.pl	0%	URL Reputation	safe
https://johndeere.com	0%	URL Reputation	safe
https://songstats.com	0%	URL Reputation	safe
https://baomoi.com	0%	URL Reputation	safe
https://supereva.it	0%	URL Reputation	safe
https://elfinancierocr.com	0%	URL Reputation	safe
https://bolasport.com	0%	URL Reputation	safe
https://rws1nvtvt.com	0%	URL Reputation	safe
https://desimartini.com	0%	URL Reputation	safe
https://hearty.app	0%	URL Reputation	safe
https://hearty.gift	0%	URL Reputation	safe
https://mercadoshops.com	0%	URL Reputation	safe
https://heartymail.com	0%	URL Reputation	safe
https://p106.net	0%	URL Reputation	safe
https://radio2.be	0%	URL Reputation	safe
https://finn.no	0%	URL Reputation	safe
https://hc1.com	0%	URL Reputation	safe
https://kompas.tv	0%	URL Reputation	safe
https://mystudentdashboard.com	0%	URL Reputation	safe
https://songshare.com	0%	URL Reputation	safe
https://smaker.pl	0%	URL Reputation	safe
https://mercadopago.com.mx	0%	URL Reputation	safe
https://p24.hu	0%	URL Reputation	safe
https://talkdeskqaid.com	0%	URL Reputation	safe
https://mercadopago.com.pe	0%	URL Reputation	safe
https://cardsayings.net	0%	URL Reputation	safe
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://mightytext.net	0%	URL Reputation	safe
https://pudelek.pl	0%	URL Reputation	safe
https://hazipatika.com	0%	URL Reputation	safe
https://joyreactor.com	0%	URL Reputation	safe
https://cookreactor.com	0%	URL Reputation	safe
https://wildixin.com	0%	URL Reputation	safe
https://eworkbookcloud.com	0%	URL Reputation	safe
https://cognitiveai.ru	0%	URL Reputation	safe
https://nacion.com	0%	URL Reputation	safe
https://chennien.com	0%	URL Reputation	safe
https://drimer.travel	0%	URL Reputation	safe
https://deccoria.pl	0%	URL Reputation	safe
https://mercadopago.cl	0%	URL Reputation	safe
https://talkdeskstgid.com	0%	URL Reputation	safe
https://bonvivir.com	0%	URL Reputation	safe
https://carcostadvisor.be	0%	URL Reputation	safe
https://salemovetravel.com	0%	URL Reputation	safe
https://sapo.io	0%	URL Reputation	safe
https://wpext.pl	0%	URL Reputation	safe
https://welt.de	0%	URL Reputation	safe
https://poalim.site	0%	URL Reputation	safe
https://drimer.io	0%	URL Reputation	safe
https://infoedgeindia.com	0%	URL Reputation	safe
https://blackrockadvisorelite.it	0%	URL Reputation	safe
https://cognitive-ai.ru	0%	URL Reputation	safe
https://cafemedia.com	0%	URL Reputation	safe
https://graziadaily.co.uk	0%	URL Reputation	safe
https://thirdspace.org.au	0%	URL Reputation	safe
https://mercadoshops.com.ar	0%	URL Reputation	safe
https://smpn106jkt.sch.id	0%	URL Reputation	safe
https://elpais.uy	0%	URL Reputation	safe
https://landyrev.com	0%	URL Reputation	safe
https://the42.ie	0%	URL Reputation	safe
https://commentcamarche.com	0%	URL Reputation	safe
https://tucarro.com.ve	0%	URL Reputation	safe
https://rws3nvtvt.com	0%	URL Reputation	safe
https://eleconomista.net	0%	URL Reputation	safe
https://mercadolivre.com.br	0%	URL Reputation	safe
https://clmbtech.com	0%	URL Reputation	safe
https://standardsandpraiserepurpose.com	0%	URL Reputation	safe
https://salemovefinancial.com	0%	URL Reputation	safe
https://mercadopago.com.br	0%	URL Reputation	safe
https://commentcamarche.net	0%	URL Reputation	safe
https://etfacademy.it	0%	URL Reputation	safe
https://mighty-app.appspot.com	0%	URL Reputation	safe
https://hj.rs	0%	URL Reputation	safe
https://hearty.me	0%	URL Reputation	safe
https://mercadolibre.com.gt	0%	URL Reputation	safe
https://timesinternet.in	0%	URL Reputation	safe
https://indiatodayne.in	0%	URL Reputation	safe
https://idbs-staging.com	0%	URL Reputation	safe
https://blackrock.com	0%	URL Reputation	safe
https://idbs-eworkbook.com	0%	URL Reputation	safe
https://motherandbaby.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	172.217.18.14	true	false	unknown
www.google.com	142.250.185.68	true	false	unknown
youtube.com	142.250.74.206	true	false	unknown
www.youtube.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/favicon.ico	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://wieistmeineip.de	sets.json.1.dr	false	URL Reputation: safe	unknown
https://mercadoshops.com.co	sets.json.1.dr	false	URL Reputation: safe	unknown
https://gliadomain.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://poalim.xyz	sets.json.1.dr	false	URL Reputation: safe	unknown
https://mercadolivre.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://reshim.org	sets.json.1.dr	false	URL Reputation: safe	unknown
https://nourishingpursuits.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://medonet.pl	sets.json.1.dr	false	URL Reputation: safe	unknown
https://unotv.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://mercadoshops.com.br	sets.json.1.dr	false	URL Reputation: safe	unknown
https://joyreactor.cc	sets.json.1.dr	false		unknown
https://zdrowietvn.pl	sets.json.1.dr	false	URL Reputation: safe	unknown
https://johndeere.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://songstats.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://baomoi.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://supereva.it	sets.json.1.dr	false	URL Reputation: safe	unknown
https://elfinancierocr.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://bolasport.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://rws1nvtvt.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://desimartini.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://hearty.app	sets.json.1.dr	false	URL Reputation: safe	unknown
https://hearty.gift	sets.json.1.dr	false	URL Reputation: safe	unknown
https://mercadoshops.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://heartymail.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://nlc.hu	sets.json.1.dr	false		unknown
https://p106.net	sets.json.1.dr	false	URL Reputation: safe	unknown
https://radio2.be	sets.json.1.dr	false	URL Reputation: safe	unknown
https://finn.no	sets.json.1.dr	false	URL Reputation: safe	unknown
https://hc1.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://kompas.tv	sets.json.1.dr	false	URL Reputation: safe	unknown
https://mystudentdashboard.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://songshare.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://smaker.pl	sets.json.1.dr	false	URL Reputation: safe	unknown
https://mercadopago.com.mx	sets.json.1.dr	false	URL Reputation: safe	unknown
https://p24.hu	sets.json.1.dr	false	URL Reputation: safe	unknown
https://talkdeskqaid.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://24.hu	sets.json.1.dr	false		unknown
https://mercadopago.com.pe	sets.json.1.dr	false	URL Reputation: safe	unknown
https://cardsayings.net	sets.json.1.dr	false	URL Reputation: safe	unknown
https://text.com	sets.json.1.dr	false		unknown
https://apis.google.com/js/api.js	chromecache_88.4.dr	false	URL Reputation: safe	unknown
https://mightytext.net	sets.json.1.dr	false	URL Reputation: safe	unknown
https://pudelek.pl	sets.json.1.dr	false	URL Reputation: safe	unknown
https://hazipatika.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://joyreactor.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://cookreactor.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://wildixin.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://eworkbookcloud.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://cognitiveai.ru	sets.json.1.dr	false	URL Reputation: safe	unknown
https://nacion.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://chennien.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://drimer.travel	sets.json.1.dr	false	URL Reputation: safe	unknown
https://deccoria.pl	sets.json.1.dr	false	URL Reputation: safe	unknown
https://mercadopago.cl	sets.json.1.dr	false	URL Reputation: safe	unknown
https://talkdeskstgid.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://naukri.com	sets.json.1.dr	false		unknown
https://interia.pl	sets.json.1.dr	false		unknown
https://bonvivir.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://carcostadvisor.be	sets.json.1.dr	false	URL Reputation: safe	unknown
https://salemovetravel.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://sapo.io	sets.json.1.dr	false	URL Reputation: safe	unknown
https://wpext.pl	sets.json.1.dr	false	URL Reputation: safe	unknown
https://welt.de	sets.json.1.dr	false	URL Reputation: safe	unknown
https://poalim.site	sets.json.1.dr	false	URL Reputation: safe	unknown
https://drimer.io	sets.json.1.dr	false	URL Reputation: safe	unknown
https://infoedgeindia.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://blackrockadvisorelite.it	sets.json.1.dr	false	URL Reputation: safe	unknown
https://cognitive-ai.ru	sets.json.1.dr	false	URL Reputation: safe	unknown
https://cafemedia.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://graziadaily.co.uk	sets.json.1.dr	false	URL Reputation: safe	unknown
https://thirdspace.org.au	sets.json.1.dr	false	URL Reputation: safe	unknown
https://mercadoshops.com.ar	sets.json.1.dr	false	URL Reputation: safe	unknown
https://smpn106jkt.sch.id	sets.json.1.dr	false	URL Reputation: safe	unknown
https://elpais.uy	sets.json.1.dr	false	URL Reputation: safe	unknown
https://landyrev.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://the42.ie	sets.json.1.dr	false	URL Reputation: safe	unknown
https://commentcamarche.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://tucarro.com.ve	sets.json.1.dr	false	URL Reputation: safe	unknown
https://rws3nvtvt.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://eleconomista.net	sets.json.1.dr	false	URL Reputation: safe	unknown
https://helpdesk.com	sets.json.1.dr	false		unknown
https://mercadolivre.com.br	sets.json.1.dr	false	URL Reputation: safe	unknown
https://clmbtech.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://standardsandpraiserepurpose.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://07c225f3.online	sets.json.1.dr	false		unknown
https://salemovefinancial.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://mercadopago.com.br	sets.json.1.dr	false	URL Reputation: safe	unknown
https://commentcamarche.net	sets.json.1.dr	false	URL Reputation: safe	unknown
https://etfacademy.it	sets.json.1.dr	false	URL Reputation: safe	unknown
https://mighty-app.appspot.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://hj.rs	sets.json.1.dr	false	URL Reputation: safe	unknown
https://hearty.me	sets.json.1.dr	false	URL Reputation: safe	unknown
https://mercadolibre.com.gt	sets.json.1.dr	false	URL Reputation: safe	unknown
https://timesinternet.in	sets.json.1.dr	false	URL Reputation: safe	unknown
https://indiatodayne.in	sets.json.1.dr	false	URL Reputation: safe	unknown
https://idbs-staging.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://blackrock.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://idbs-eworkbook.com	sets.json.1.dr	false	URL Reputation: safe	unknown
https://motherandbaby.com	sets.json.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.68	www.google.com	United States	15169	GOOGLEUS	false
142.250.74.206	youtube.com	United States	15169	GOOGLEUS	false
172.217.18.14	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523651
Start date and time:	2024-10-01 22:15:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@27/19@6/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 33 Number of non-executed functions: 315
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.16.142, 74.125.71.84, 142.250.184.195, 34.104.35.123, 142.250.185.106, 142.250.185.138, 142.250.185.234, 172.217.16.202, 142.250.184.202, 142.250.186.74, 142.250.186.138, 142.250.184.234, 142.250.181.234, 172.217.18.106, 142.250.185.74, 142.250.185.170, 216.58.206.74, 216.58.206.42, 142.250.74.202, 142.250.185.202, 142.250.185.163, 172.217.18.3, 172.217.18.10, 216.58.212.170, 142.250.186.42, 142.250.186.170, 172.217.23.106, 142.250.186.106, 199.232.210.172, 192.229.221.95, 142.250.186.35, 216.58.206.46
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://trello.com/c/2T5XVROV	Get hash	malicious	HTMLPhisher	Browse
	https://email.mg.pmctraining.com/c/eJwUzDGOhSAQANDTSCfBAQQL2n-PgRmUDaAh_E329hvbVzwKpJF3Ehw2B84ro50WV0j68CYB2SNnQrVvLloHPjtLjAq9KAFAJ7thXDVQWlEdcfVg82oOBTo6s9ucFqPaKZ-W5sDSSz9lupuogbhPrBkT10n4ooxjgU8jXuDzfeqNJJ_rESP8fLGXiXJw6ddd6S3_GnaczPIep_gN8B8AAP__bcA-Lw	Get hash	malicious	HTMLPhisher	Browse
	https://42yr.rescindq.com/wqtyZAFZzF3hXgsogboKg/	Get hash	malicious	Tycoon2FA	Browse
	https://app.glorify.com/file/1193241?format=90	Get hash	malicious	HTMLPhisher	Browse
	https://trailer.web-view.net/Links/0X4BB1001D1630A0ED10642DF3B714350282BAE90647BD2B7BFD4C194AC960461AE6B703AF3C14FF76E051ECAB18E836AA033F35E314DF7571046ED1B003034C97CF9966854362669D.htm	Get hash	malicious	Unknown	Browse
	Seeking Assistance for Legal Assistance in a Medical Matter.msg	Get hash	malicious	Unknown	Browse
	https://okefeokok.live/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://sharing.clickup.com/9011385758/t/h/868a15nvk/VTTN7SYFPHZE3IT	Get hash	malicious	HTMLPhisher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Credential Flusher	Browse	13.85.23.86 184.28.90.27
	https://trello.com/c/2T5XVROV	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27
	https://email.mg.pmctraining.com/c/eJwUzDGOhSAQANDTSCfBAQQL2n-PgRmUDaAh_E329hvbVzwKpJF3Ehw2B84ro50WV0j68CYB2SNnQrVvLloHPjtLjAq9KAFAJ7thXDVQWlEdcfVg82oOBTo6s9ucFqPaKZ-W5sDSSz9lupuogbhPrBkT10n4ooxjgU8jXuDzfeqNJJ_rESP8fLGXiXJw6ddd6S3_GnaczPIep_gN8B8AAP__bcA-Lw	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27
	https://42yr.rescindq.com/wqtyZAFZzF3hXgsogboKg/	Get hash	malicious	Tycoon2FA	Browse	13.85.23.86 184.28.90.27
	https://trailer.web-view.net/Links/0X4BB1001D1630A0ED10642DF3B714350282BAE90647BD2B7BFD4C194AC960461AE6B703AF3C14FF76E051ECAB18E836AA033F35E314DF7571046ED1B003034C97CF9966854362669D.htm	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.85.23.86 184.28.90.27
	PO#150623.html	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	https://finalstepgetshere.com/uploads/beta111.zip	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	13.85.23.86 184.28.90.27
	Translink_rishi.vasandani_Advice81108.pdf	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.85.23.86 184.28.90.27

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 19:15:57 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.979259785156144
Encrypted:	false
SSDEEP:	48:8LddTFVJH5idAKZdA19ehwiZUklqehiy+3:8//dpy
MD5:	B3399E57AF32832765E2649DADC79A5D
SHA1:	C266C2C26FC6D1C64C01FBF0D2E6A212F53ED4D5
SHA-256:	FFC11D55901265A7A5956FAE23B39DB98A953B67EBCAE6B027846AC77C53C3C6
SHA-512:	3650826F7C81F7BD31ABF99E5BA1D37ACF34CA614459005A4F8C0FDF6B5D66D0E42510B1F4A46CE3E0AB89726339F5BB75B5F04067297F6D03E13A8A1CA0CCA4
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....s...>...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IAY......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 19:15:56 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.994385968352291
Encrypted:	false
SSDEEP:	48:8WddTFVJH5idAKZdA1weh/iZUkAQkqehZy+2:88/X9Qsy
MD5:	FF63429BF44E079B4DF1FDB6C23512E6
SHA1:	5A73C05CBD89E76E17980151842370D3161F73AC
SHA-256:	3358D080FEDFCE2438CF82BF162FB930B5D3179E98D8D86EA3ABFEDC220363EC
SHA-512:	A6BF4CB6527CFEC5C9D913010CAEDA0284AC87B40797CD581076BEF2DCC3DE857DDA0737A2ED410AC1792C937ED9A184D58AD98972BFFF7CFA9EEA7386C10FD5
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....!h.>...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IAY......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.005920240614673
Encrypted:	false
SSDEEP:	48:8xuddTFVsH5idAKZdA14tseh7sFiZUkmgqeh7sLy+BX:8xE/Indy
MD5:	254DABD2FAE76395C2524C50BD1B147D
SHA1:	50D233E8F94FE5CD7675815088625C893474EE76
SHA-256:	F31734F1339585623A8A72848446D8D06E278993668DD1A734196C55DFC37012
SHA-512:	B4805B78B19E1F256DAA2711C82D79494EBA0EC44A24B47175D4462B892FB6D67B99CDA8B4F73B6EA640DC864EAEDD24D44997DD17D934140DFBB133CD5C3C2E
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IAY......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 19:15:56 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9931765566084634
Encrypted:	false
SSDEEP:	48:83ddTFVJH5idAKZdA1vehDiZUkwqehFy+R:8r/UTy
MD5:	89B4994CDAD2734A6482587D17A038FA
SHA1:	E4CC680F6F62DB83A1FBF9D058FB1F6F9A9C0024
SHA-256:	46C58606D659F7740F654949FF46509217FFE653527B8ECEF866D60E90F27E56
SHA-512:	B58B5A0F4DB0C1349AE02EAB83AE4617C30F534AECFDA2692479B508810FAE6ADBAFBE86602358E4234CA7B40355D96633C13751405CC40C8F682D51BF8E3578
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......Y.>...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IAY......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 19:15:56 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.982259514636434
Encrypted:	false
SSDEEP:	48:8bddTFVJH5idAKZdA1hehBiZUk1W1qehPy+C:8P/09vy
MD5:	79C5E0018CCC4E6421DEB1521A75FFF6
SHA1:	560BC14C80B0EB524C4931E16E4599EB299B98AA
SHA-256:	2CA45052481603D59B7DF709D78DCA60ED9935787E8406DF5FEE044136AE4226
SHA-512:	9771BAFE96E59D80F73A30038B364B73E28E370C99A43535B2AD6413F183DB7934DDDA947AED0FA5E4051CA16F7F25BC1B2E68EF193B57674260EE2A1B474792
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......t.>...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IAY......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 19:15:56 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.988774957439258
Encrypted:	false
SSDEEP:	48:8HhddTFVJH5idAKZdA1duT+ehOuTbbiZUk5OjqehOuTbdy+yT+:8Hx/aT/TbxWOvTbdy7T
MD5:	FB6E6CA0C800FDD8153C501F17BB9AE6
SHA1:	7C43AC7C8E7F201E89FFF5C7BC9838B87EC28DA8
SHA-256:	B509872467592C8DD6DC86F2837D943D2647C929259E83ADC01972469C8C779D
SHA-512:	472F5EA58CBEFD8815EE9A6025A84C70301A0CEF58D243F80DAA09F6EE7E165D2D4BDDAD673DC2A446526B95A05D45E89C39EC77E4DF25F8FEBDDAFAEF9B3751
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....oJP.>...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IAY......B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............A.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\LICENSE

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	5.11458514637545
Encrypted:	false
SSDEEP:	48:OBOCrYJ4rYJVwUCLHDy43HV713XEyMmZ3teTHn:LCrYJ4rYJVwUCHZ3Z13XtdUTH
MD5:	EE002CB9E51BB8DFA89640A406A1090A
SHA1:	49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2
SHA-256:	3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
SHA-512:	D1FDCC436B8CA8C68D4DC7077F84F803A535BF2CE31D9EB5D0C466B62D6567B2C59974995060403ED757E92245DB07E70C6BDDBF1C3519FED300CC5B9BF9177C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	// Copyright 2015 The Chromium Authors. All rights reserved..//.// Redistribution and use in source and binary forms, with or without.// modification, are permitted provided that the following conditions are.// met:.//.// * Redistributions of source code must retain the above copyright.// notice, this list of conditions and the following disclaimer..// * Redistributions in binary form must reproduce the above.// copyright notice, this list of conditions and the following disclaimer.// in the documentation and/or other materials provided with the.// distribution..// * Neither the name of Google Inc. nor the names of its.// contributors may be used to endorse or promote products derived from.// this software without specific prior written permission..//.// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR.// A PARTICULAR

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\_metadata\verified_contents.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1864
Entropy (8bit):	6.021127689065198
Encrypted:	false
SSDEEP:	48:p/hUI1atAdI567akUmYWEFw/3+ovGJ4F3jkZUbvzk98g5m7:RnYQI47avYUwvVGJ41jkZIzxgA7
MD5:	68E6B5733E04AB7BF19699A84D8ABBC2
SHA1:	1C11F06CA1AD3ED8116D356AB9164FD1D52B5CF0
SHA-256:	F095F969D6711F53F97747371C83D5D634EAEF21C54CB1A6A1CC5B816D633709
SHA-512:	9DC5D824A55C969820D5D1FBB0CA7773361F044AE0C255E7C48D994E16CE169FCEAC3DE180A3A544EBEF32337EA535683115584D592370E5FE7D85C68B86C891
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoiUGIwc2tBVUxaUzFqWldTQnctV0hIRkltRlhVcExiZDlUcVkwR2ZHSHBWcyJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiIyNXB3SWdtQWU2QTVoeDVVTG9OV0laODBLbzJjbktOTHpacUdjbjlLT2c4In0seyJwYXRoIjoic2V0cy5qc29uIiwicm9vdF9oYXNoIjoiOWVza0FuRlBsM3VCQzkwUmFWakxNaVI3NXZIQi0wQUVmMmg0RzU3ZXNpcyJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6ImdvbnBlbWRna2pjZWNkZ2JuYWFiaXBwcGJtZ2ZnZ2JlIiwiaXRlbV92ZXJzaW9uIjoiMjAyNC44LjEwLjAiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"dU2MmRUQSugaJAJvEN4uaQHx-KXdOkjj0yK8_aH4Afr3kN7DPOZRt6yLTS3UchBE5M-dgPPPBuKADj4KEK4B22SO6WQquL5J27AUPqQBGgr44-iFGVJdOLLlfirFlJmcYv6DUFRYiPsQFGMr1JFqInj19jgkOxzR6qqcNuTCB0wGEMeTU80r-igCjeQG6TIzPro7yKd_-UxsxO6OGAySmlIJIoU54X0p0ATNoZyAfkhb8kb0oN8unOU

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\manifest.fingerprint

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.9159446964030753
Encrypted:	false
SSDEEP:	3:Sq5TQRaELVHecsUDBAeHD5k:Sq5gJ+csHej5k
MD5:	CFB54589424206D0AE6437B5673F498D
SHA1:	D1EF6314F0F68EFDD0BA8F6CA9E59BFF863B1609
SHA-256:	285AC183C35350B4B77332172413902F83726CA8F53D63859B5DA082FD425A1C
SHA-512:	70FDCA4A1E6B7A5FFED3414E2DB74FECA7E0FD17482B8CB30393DFEE20AB9AD2B0B00FF0C590DD0E8D744D0EAD876CE8844519AF66618ED14666BCA56DF2DA21
Malicious:	false
Preview:	1.dbf288588465463a914bdfc5e86d465fb3592b2f1261dc0e40fcc5c1adc8e7e4

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\manifest.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.4533115571544695
Encrypted:	false
SSDEEP:	3:rR6TAulhFphifFCmMARWHJqS1tean:F6VlM8aRWpqS1ln
MD5:	C3419069A1C30140B77045ABA38F12CF
SHA1:	11920F0C1E55CADC7D2893D1EEBB268B3459762A
SHA-256:	DB9A702209807BA039871E542E8356219F342A8D9C9CA34BCD9A86727F4A3A0F
SHA-512:	C5E95A4E9F5919CB14F4127539C4353A55C5F68062BF6F95E1843B6690CEBED3C93170BADB2412B7FB9F109A620385B0AE74783227D6813F26FF8C29074758A1
Malicious:	false
Preview:	{. "manifest_version": 2,. "name": "First Party Sets",. "version": "2024.8.10.0".}

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\sets.json

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	9748
Entropy (8bit):	4.629326694042306
Encrypted:	false
SSDEEP:	96:Mon4mvC4qX19s1blbw/BNKLcxbdmf56MFJtRTGXvcxN43uP+8qJq:v5C4ql7BkIVmtRTGXvcxBsq
MD5:	EEA4913A6625BEB838B3E4E79999B627
SHA1:	1B4966850F1B117041407413B70BFA925FD83703
SHA-256:	20EF4DE871ECE3C5F14867C4AE8465999C7A2CC1633525E752320E61F78A373C
SHA-512:	31B1429A5FACD6787F6BB45216A4AB1C724C79438C18EBFA8C19CED83149C17783FD492A03197110A75AAF38486A9F58828CA30B58D41E0FE89DFE8BDFC8A004
Malicious:	false
Preview:	{"primary":"https://bild.de","associatedSites":["https://welt.de","https://autobild.de","https://computerbild.de","https://wieistmeineip.de"],"serviceSites":["https://www.asadcdn.com"]}.{"primary":"https://blackrock.com","associatedSites":["https://blackrockadvisorelite.it","https://cachematrix.com","https://efront.com","https://etfacademy.it","https://ishares.com"]}.{"primary":"https://cafemedia.com","associatedSites":["https://cardsayings.net","https://nourishingpursuits.com"]}.{"primary":"https://caracoltv.com","associatedSites":["https://noticiascaracol.com","https://bluradio.com","https://shock.co","https://bumbox.com","https://hjck.com"]}.{"primary":"https://carcostadvisor.com","ccTLDs":{"https://carcostadvisor.com":["https://carcostadvisor.be","https://carcostadvisor.fr"]}}.{"primary":"https://citybibleforum.org","associatedSites":["https://thirdspace.org.au"]}.{"primary":"https://cognitiveai.ru","associatedSites":["https://cognitive-ai.ru"]}.{"primary":"https://drimer.io","asso

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	601536
Entropy (8bit):	5.789403300635565
Encrypted:	false
SSDEEP:	3072:x0pApkygA62bwwdnO2YflNYhFGOizdGj008PpVVM96C5bMEPQUhts6FV8eKqtVAX:xlgNmwwdnOsF98oNGuQRAYqXsI1M
MD5:	BD16AF9756FCA31CE5B4F3CEFCF2DB10
SHA1:	4402763A24AEDCEF8C1C9FD270AA66AAE5BDA71D
SHA-256:	6171044A188336B3F89996D4E9BC5EE9E878EE5384D0EFD2640362F7D99D73B9
SHA-512:	548F7E4A18322F8181FD537E5F5AD41C5A3EB9B885E8F921EBB07564467FAF69B977D321299D77749AB44B333CA60CFA01CF00E6BD58CC7801FED0A30D8C5556
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en._s1fC-CLCMs.es5.O/am=xIFgKBimEQjEE86BHlAUCBkAAAAAAAAAALQBAIBm/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlGsNipZrCRRMFQh1-tVmHSsIDzQTA/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x20469860, 0x1ce13c40, 0x51407a0, 0x1908, 0x0, 0x1b400000, 0x19a00000, 0x0, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Na,Ua,gaa,iaa,lb,qaa,xaa,Daa,Iaa,Laa,Mb,Maa,Rb,Vb,Wb,Naa,Oaa,Xb,Paa,Qaa,Raa,ac,Waa,Yaa,ic,jc,kc,cba,dba,hba,kba,mba,nba,rba,uba,oba,tba,sba,qba,pba,vba,zba,Dba,Eba,Bba,Kc,Lc,Hba,Jba,Nba,Oba,Pba,Qba,Mba,Rba,Tba,gd,Vba,Wba,Yba,$ba,Zba,bca,cca,dca,eca,gca,fca,ica,jca,kca,lca,oca,r

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.58109581690608
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'016 bytes
MD5:	e8f25456a80317e47af911934a95c228
SHA1:	7b1307f3c0eac0c0fe3d124e4054973950a7053b
SHA256:	338b3da95992f048d48258ef58d9772a76f7c6f736de160b5b667f7e758ae571
SHA512:	92eebc4d083469746124bead6953a55a4037e9f71f93d24e3dc111f5a462846a1060daa12bda6873fdce552901ddb03c23272d133e4061a7134ca5b0c847e246
SSDEEP:	12288:SqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaTTz:SqDEvCTbMWu7rQYlBQcBiT6rprG8anz
TLSH:	97159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FC57F8 [Tue Oct 1 20:13:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FBB70ECFD13h
jmp 00007FBB70ECF61Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBB70ECF7FDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FBB70ECF7CAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FBB70ED23BDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FBB70ED2408h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FBB70ED23F1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9750	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9750	0x9800	f95cce835425531579c4b1d497f18ade	False	0.2943564967105263	data	5.226068508120103	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xa18	data			1.0042569659442724
RT_GROUP_ICON	0xdd1d0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd248	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd25c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd270	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd284	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd360	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 22:15:52.235018969 CEST	49675	443	192.168.2.5	23.1.237.91
Oct 1, 2024 22:15:52.235032082 CEST	49674	443	192.168.2.5	23.1.237.91
Oct 1, 2024 22:15:52.328809023 CEST	49673	443	192.168.2.5	23.1.237.91
Oct 1, 2024 22:15:55.547864914 CEST	49707	443	192.168.2.5	142.250.74.206
Oct 1, 2024 22:15:55.547873974 CEST	443	49707	142.250.74.206	192.168.2.5
Oct 1, 2024 22:15:55.547920942 CEST	49707	443	192.168.2.5	142.250.74.206
Oct 1, 2024 22:15:55.549029112 CEST	49707	443	192.168.2.5	142.250.74.206
Oct 1, 2024 22:15:55.549042940 CEST	443	49707	142.250.74.206	192.168.2.5
Oct 1, 2024 22:15:56.256526947 CEST	443	49707	142.250.74.206	192.168.2.5
Oct 1, 2024 22:15:56.256778955 CEST	49707	443	192.168.2.5	142.250.74.206
Oct 1, 2024 22:15:56.256788015 CEST	443	49707	142.250.74.206	192.168.2.5
Oct 1, 2024 22:15:56.257178068 CEST	443	49707	142.250.74.206	192.168.2.5
Oct 1, 2024 22:15:56.257241011 CEST	49707	443	192.168.2.5	142.250.74.206
Oct 1, 2024 22:15:56.257906914 CEST	443	49707	142.250.74.206	192.168.2.5
Oct 1, 2024 22:15:56.257955074 CEST	49707	443	192.168.2.5	142.250.74.206
Oct 1, 2024 22:15:56.258759022 CEST	49707	443	192.168.2.5	142.250.74.206
Oct 1, 2024 22:15:56.258821011 CEST	443	49707	142.250.74.206	192.168.2.5
Oct 1, 2024 22:15:56.258995056 CEST	49707	443	192.168.2.5	142.250.74.206
Oct 1, 2024 22:15:56.259002924 CEST	443	49707	142.250.74.206	192.168.2.5
Oct 1, 2024 22:15:56.299470901 CEST	49707	443	192.168.2.5	142.250.74.206
Oct 1, 2024 22:15:56.560940981 CEST	443	49707	142.250.74.206	192.168.2.5
Oct 1, 2024 22:15:56.561006069 CEST	443	49707	142.250.74.206	192.168.2.5
Oct 1, 2024 22:15:56.561049938 CEST	49707	443	192.168.2.5	142.250.74.206
Oct 1, 2024 22:15:56.561956882 CEST	49707	443	192.168.2.5	142.250.74.206
Oct 1, 2024 22:15:56.561966896 CEST	443	49707	142.250.74.206	192.168.2.5
Oct 1, 2024 22:15:56.579462051 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 1, 2024 22:15:56.579492092 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 1, 2024 22:15:56.579544067 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 1, 2024 22:15:56.579741001 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 1, 2024 22:15:56.579758883 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 1, 2024 22:15:57.273327112 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 1, 2024 22:15:57.273621082 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 1, 2024 22:15:57.273648977 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 1, 2024 22:15:57.273988962 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 1, 2024 22:15:57.274049997 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 1, 2024 22:15:57.274597883 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 1, 2024 22:15:57.274652958 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 1, 2024 22:15:57.275516987 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 1, 2024 22:15:57.275577068 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 1, 2024 22:15:57.275676012 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 1, 2024 22:15:57.275686026 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 1, 2024 22:15:57.315099001 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 1, 2024 22:15:57.596949100 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 1, 2024 22:15:57.597021103 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 1, 2024 22:15:57.597052097 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 1, 2024 22:15:57.597758055 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 1, 2024 22:15:57.598928928 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 1, 2024 22:15:57.598942041 CEST	443	49710	172.217.18.14	192.168.2.5
Oct 1, 2024 22:15:57.598963976 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 1, 2024 22:15:57.598994970 CEST	49710	443	192.168.2.5	172.217.18.14
Oct 1, 2024 22:15:59.912251949 CEST	49715	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:15:59.912287951 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:15:59.912355900 CEST	49715	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:15:59.912575960 CEST	49715	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:15:59.912589073 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:15:59.950236082 CEST	49716	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:15:59.950279951 CEST	443	49716	184.28.90.27	192.168.2.5
Oct 1, 2024 22:15:59.950364113 CEST	49716	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:15:59.951762915 CEST	49716	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:15:59.951777935 CEST	443	49716	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:00.581478119 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:16:00.581690073 CEST	49715	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:16:00.581701994 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:16:00.582547903 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:16:00.582609892 CEST	49715	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:16:00.583559990 CEST	49715	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:16:00.583612919 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:16:00.629384041 CEST	443	49716	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:00.629458904 CEST	49716	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:00.632391930 CEST	49716	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:00.632400990 CEST	443	49716	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:00.632611990 CEST	443	49716	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:00.637813091 CEST	49715	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:16:00.637820959 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:16:00.669162989 CEST	49716	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:00.684695005 CEST	49715	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:16:00.711410046 CEST	443	49716	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:00.903698921 CEST	443	49716	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:00.903768063 CEST	443	49716	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:00.903827906 CEST	49716	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:01.074146032 CEST	49716	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:01.074168921 CEST	443	49716	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:01.074178934 CEST	49716	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:01.074183941 CEST	443	49716	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:01.121071100 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:01.121121883 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:01.121208906 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:01.121706963 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:01.121723890 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:01.803775072 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:01.803844929 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:01.807737112 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:01.807749987 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:01.808017015 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:01.810283899 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:01.840991974 CEST	49674	443	192.168.2.5	23.1.237.91
Oct 1, 2024 22:16:01.841012001 CEST	49675	443	192.168.2.5	23.1.237.91
Oct 1, 2024 22:16:01.855411053 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:01.934752941 CEST	49673	443	192.168.2.5	23.1.237.91
Oct 1, 2024 22:16:02.092847109 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:02.092901945 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:02.092947960 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:02.094404936 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:02.094424009 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:02.094434977 CEST	49720	443	192.168.2.5	184.28.90.27
Oct 1, 2024 22:16:02.094441891 CEST	443	49720	184.28.90.27	192.168.2.5
Oct 1, 2024 22:16:03.286721945 CEST	49715	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:16:03.327404976 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:16:03.556186914 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:16:03.556291103 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:16:03.556473970 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:16:03.556509972 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:16:03.556533098 CEST	49715	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:16:03.556539059 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:16:03.556575060 CEST	49715	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:16:03.556710005 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:16:03.556788921 CEST	49715	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:16:03.557109118 CEST	49715	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:16:03.557122946 CEST	443	49715	142.250.185.68	192.168.2.5
Oct 1, 2024 22:16:03.667555094 CEST	443	49703	23.1.237.91	192.168.2.5
Oct 1, 2024 22:16:03.667646885 CEST	49703	443	192.168.2.5	23.1.237.91
Oct 1, 2024 22:16:12.246481895 CEST	49728	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:12.246526957 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:12.246591091 CEST	49728	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:12.247548103 CEST	49728	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:12.247564077 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:12.943722010 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:12.943805933 CEST	49728	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:12.945319891 CEST	49728	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:12.945336103 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:12.945601940 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:12.998306036 CEST	49728	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:14.242135048 CEST	49728	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:14.283438921 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:14.663192987 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:14.663214922 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:14.663222075 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:14.663233995 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:14.663240910 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:14.663244009 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:14.663268089 CEST	49728	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:14.663285971 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:14.663300991 CEST	49728	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:14.663326979 CEST	49728	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:14.663985014 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:14.664050102 CEST	49728	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:14.664058924 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:14.664139986 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:14.665549994 CEST	49728	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:15.196285009 CEST	49728	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:15.196325064 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:15.196396112 CEST	49728	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:15.196403027 CEST	443	49728	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:51.855278969 CEST	49734	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:51.855321884 CEST	443	49734	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:51.855420113 CEST	49734	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:51.855947018 CEST	49734	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:51.855963945 CEST	443	49734	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:52.597151995 CEST	443	49734	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:52.597266912 CEST	49734	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:52.601116896 CEST	49734	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:52.601152897 CEST	443	49734	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:52.601432085 CEST	443	49734	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:52.614531994 CEST	49734	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:52.655431032 CEST	443	49734	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:53.950408936 CEST	443	49734	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:53.950427055 CEST	443	49734	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:53.950442076 CEST	443	49734	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:53.950521946 CEST	49734	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:53.950521946 CEST	49734	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:53.950593948 CEST	443	49734	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:53.950623035 CEST	443	49734	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:53.950640917 CEST	443	49734	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:53.950670004 CEST	49734	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:53.950700998 CEST	49734	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:53.954569101 CEST	49734	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:53.954627037 CEST	443	49734	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:53.954659939 CEST	49734	443	192.168.2.5	13.85.23.86
Oct 1, 2024 22:16:53.954678059 CEST	443	49734	13.85.23.86	192.168.2.5
Oct 1, 2024 22:16:57.493834019 CEST	58890	53	192.168.2.5	1.1.1.1
Oct 1, 2024 22:16:57.500428915 CEST	53	58890	1.1.1.1	192.168.2.5
Oct 1, 2024 22:16:57.501312971 CEST	58890	53	192.168.2.5	1.1.1.1
Oct 1, 2024 22:16:57.501379967 CEST	58890	53	192.168.2.5	1.1.1.1
Oct 1, 2024 22:16:57.509282112 CEST	53	58890	1.1.1.1	192.168.2.5
Oct 1, 2024 22:16:57.967725039 CEST	53	58890	1.1.1.1	192.168.2.5
Oct 1, 2024 22:16:57.968729973 CEST	58890	53	192.168.2.5	1.1.1.1
Oct 1, 2024 22:16:57.976794958 CEST	53	58890	1.1.1.1	192.168.2.5
Oct 1, 2024 22:16:57.976922035 CEST	58890	53	192.168.2.5	1.1.1.1
Oct 1, 2024 22:16:59.967344046 CEST	58892	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:16:59.967396021 CEST	443	58892	142.250.185.68	192.168.2.5
Oct 1, 2024 22:16:59.967518091 CEST	58892	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:16:59.967812061 CEST	58892	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:16:59.967830896 CEST	443	58892	142.250.185.68	192.168.2.5
Oct 1, 2024 22:17:00.645210028 CEST	443	58892	142.250.185.68	192.168.2.5
Oct 1, 2024 22:17:00.645482063 CEST	58892	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:17:00.645509958 CEST	443	58892	142.250.185.68	192.168.2.5
Oct 1, 2024 22:17:00.645788908 CEST	443	58892	142.250.185.68	192.168.2.5
Oct 1, 2024 22:17:00.646218061 CEST	58892	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:17:00.646275997 CEST	443	58892	142.250.185.68	192.168.2.5
Oct 1, 2024 22:17:00.686744928 CEST	58892	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:17:10.554857016 CEST	443	58892	142.250.185.68	192.168.2.5
Oct 1, 2024 22:17:10.554913998 CEST	443	58892	142.250.185.68	192.168.2.5
Oct 1, 2024 22:17:10.555016041 CEST	58892	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:17:26.123100042 CEST	58892	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:17:26.123131990 CEST	443	58892	142.250.185.68	192.168.2.5
Oct 1, 2024 22:18:00.030404091 CEST	58895	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:18:00.030462980 CEST	443	58895	142.250.185.68	192.168.2.5
Oct 1, 2024 22:18:00.030540943 CEST	58895	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:18:00.030883074 CEST	58895	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:18:00.030903101 CEST	443	58895	142.250.185.68	192.168.2.5
Oct 1, 2024 22:18:00.830384970 CEST	443	58895	142.250.185.68	192.168.2.5
Oct 1, 2024 22:18:00.830682039 CEST	58895	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:18:00.830715895 CEST	443	58895	142.250.185.68	192.168.2.5
Oct 1, 2024 22:18:00.831053019 CEST	443	58895	142.250.185.68	192.168.2.5
Oct 1, 2024 22:18:00.831352949 CEST	58895	443	192.168.2.5	142.250.185.68
Oct 1, 2024 22:18:00.831433058 CEST	443	58895	142.250.185.68	192.168.2.5
Oct 1, 2024 22:18:00.872380018 CEST	58895	443	192.168.2.5	142.250.185.68

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 22:15:55.490915060 CEST	55829	53	192.168.2.5	1.1.1.1
Oct 1, 2024 22:15:55.492165089 CEST	64077	53	192.168.2.5	1.1.1.1
Oct 1, 2024 22:15:55.518207073 CEST	53	55829	1.1.1.1	192.168.2.5
Oct 1, 2024 22:15:55.525671959 CEST	53	64077	1.1.1.1	192.168.2.5
Oct 1, 2024 22:15:55.525712013 CEST	53	58409	1.1.1.1	192.168.2.5
Oct 1, 2024 22:15:55.529058933 CEST	53	63572	1.1.1.1	192.168.2.5
Oct 1, 2024 22:15:56.564187050 CEST	55372	53	192.168.2.5	1.1.1.1
Oct 1, 2024 22:15:56.564526081 CEST	49528	53	192.168.2.5	1.1.1.1
Oct 1, 2024 22:15:56.576622963 CEST	53	55372	1.1.1.1	192.168.2.5
Oct 1, 2024 22:15:56.578824043 CEST	53	49528	1.1.1.1	192.168.2.5
Oct 1, 2024 22:15:56.590044022 CEST	53	57302	1.1.1.1	192.168.2.5
Oct 1, 2024 22:15:59.903791904 CEST	60791	53	192.168.2.5	1.1.1.1
Oct 1, 2024 22:15:59.903940916 CEST	54728	53	192.168.2.5	1.1.1.1
Oct 1, 2024 22:15:59.911453962 CEST	53	54728	1.1.1.1	192.168.2.5
Oct 1, 2024 22:15:59.911550999 CEST	53	60791	1.1.1.1	192.168.2.5
Oct 1, 2024 22:16:00.147845984 CEST	53	62604	1.1.1.1	192.168.2.5
Oct 1, 2024 22:16:02.072201014 CEST	53	55675	1.1.1.1	192.168.2.5
Oct 1, 2024 22:16:14.440015078 CEST	53	53063	1.1.1.1	192.168.2.5
Oct 1, 2024 22:16:32.586800098 CEST	53	63841	1.1.1.1	192.168.2.5
Oct 1, 2024 22:16:55.464380026 CEST	53	59443	1.1.1.1	192.168.2.5
Oct 1, 2024 22:16:55.584614038 CEST	53	57415	1.1.1.1	192.168.2.5
Oct 1, 2024 22:16:57.491589069 CEST	53	63152	1.1.1.1	192.168.2.5
Oct 1, 2024 22:17:26.130772114 CEST	53	62298	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 22:15:55.490915060 CEST	192.168.2.5	1.1.1.1	0xab0	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:55.492165089 CEST	192.168.2.5	1.1.1.1	0xfa17	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 1, 2024 22:15:56.564187050 CEST	192.168.2.5	1.1.1.1	0x2d34	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.564526081 CEST	192.168.2.5	1.1.1.1	0x9d8	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 1, 2024 22:15:59.903791904 CEST	192.168.2.5	1.1.1.1	0xc75a	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:59.903940916 CEST	192.168.2.5	1.1.1.1	0xacaf	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 22:15:55.518207073 CEST	1.1.1.1	192.168.2.5	0xab0	No error (0)	youtube.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:55.525671959 CEST	1.1.1.1	192.168.2.5	0xfa17	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.576622963 CEST	1.1.1.1	192.168.2.5	0x2d34	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 1, 2024 22:15:56.578824043 CEST	1.1.1.1	192.168.2.5	0x9d8	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 22:15:56.578824043 CEST	1.1.1.1	192.168.2.5	0x9d8	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 1, 2024 22:15:59.911453962 CEST	1.1.1.1	192.168.2.5	0xacaf	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 1, 2024 22:15:59.911550999 CEST	1.1.1.1	192.168.2.5	0xc75a	No error (0)	www.google.com		142.250.185.68	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	142.250.74.206	443	6528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 20:15:56 UTC	867	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 20:15:56 UTC	1704	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Tue, 01 Oct 2024 20:15:56 GMT Date: Tue, 01 Oct 2024 20:15:56 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Content-Security-Policy: require-trusted-types-for 'script' Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	172.217.18.14	443	6528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 20:15:57 UTC	885	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 20:15:57 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 20:15:57 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Content-Security-Policy: require-trusted-types-for 'script' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Tue, 01-Oct-2024 20:45:57 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=NQwQC5iU1IM; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=NXEhxYGBHvo; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 20:15:57 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgWg%3D%3D; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 20:15:57 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49716	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 20:16:00 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 20:16:00 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=160190 Date: Tue, 01 Oct 2024 20:16:00 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49720	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 20:16:01 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 20:16:02 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=160133 Date: Tue, 01 Oct 2024 20:16:01 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-01 20:16:02 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49715	142.250.185.68	443	6528	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 20:16:03 UTC	1033	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw== Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 20:16:03 UTC	706	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Tue, 01 Oct 2024 17:11:26 GMT Expires: Wed, 09 Oct 2024 17:11:26 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 11077 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 20:16:03 UTC	684	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-01 20:16:03 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<
2024-10-01 20:16:03 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-01 20:16:03 UTC	1390	IN	Data Raw: 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBBF!4I
2024-10-01 20:16:03 UTC	576	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49728	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 20:16:14 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=t+KOSkY1Ff+WcHu&MD=aCwnZKxN HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 20:16:14 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: ee9fc70f-33e4-4ba7-91e2-76e1e785863b MS-RequestId: fb4bdfb1-f921-44cc-9ca8-856fa3bb0638 MS-CV: CNwt1t7hEkKYxgQN.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 20:16:13 GMT Connection: close Content-Length: 24490
2024-10-01 20:16:14 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-01 20:16:14 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49734	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 20:16:52 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=t+KOSkY1Ff+WcHu&MD=aCwnZKxN HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 20:16:53 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: f630133a-2e36-4db8-895f-e5af65755513 MS-RequestId: 0d254c8c-e8a8-4646-8528-e668bf88609e MS-CV: Qt5zw24jSkuIegPa.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 20:16:52 GMT Connection: close Content-Length: 30005
2024-10-01 20:16:53 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-01 20:16:53 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	16:15:53
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x580000
File size:	918'016 bytes
MD5 hash:	E8F25456A80317E47AF911934A95C228
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:15:53
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	16:15:54
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1976,i,7912777509037811501,8680786608040553108,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.3%
Total number of Nodes:	1413
Total number of Limit Nodes:	45

Executed Functions

Function 005842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0058430D

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

GetCurrentProcess.KERNEL32(?,0061CB64,00000000,?,?), ref: 00584422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00584429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00584454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00584466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00584474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0058447B
GetSystemInfo.KERNEL32(?,?,?), ref: 005844A0

Strings

|O, xrefs: 005C36F8
kernel32.dll, xrefs: 0058444F
GetNativeSystemInfo, xrefs: 00584460

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: cc82c0984d1d90c5a6b84cce867000f741a88a0274d1bf26ece448b3ff9e2f47
Instruction ID: f24090d46dfc5244c60db8a4701c82f595ca9602aa21dbdd9964189934ff8cc2
Opcode Fuzzy Hash: cc82c0984d1d90c5a6b84cce867000f741a88a0274d1bf26ece448b3ff9e2f47
Instruction Fuzzy Hash: 47A1C46190A3D4DFCB11D7A8B8617997FE67F37346F08B89DD841ABA32D2204648CB21

Function 005842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005850AA,?,?,00000000,00000000), ref: 005842B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005850AA,?,?,00000000,00000000), ref: 005842C9
LoadResource.KERNEL32(?,00000000,?,?,005850AA,?,?,00000000,00000000,?,?,?,?,?,?,00584F20), ref: 005C35BE
SizeofResource.KERNEL32(?,00000000,?,?,005850AA,?,?,00000000,00000000,?,?,?,?,?,?,00584F20), ref: 005C35D3
LockResource.KERNEL32(005850AA,?,?,005850AA,?,?,00000000,00000000,?,?,?,?,?,?,00584F20,?), ref: 005C35E6

Strings

SCRIPT, xrefs: 005842BF

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: cad36e7bc15630e9b1f31de005511e29bebbf0f8cb54ac8e2270116f5743bad2
Instruction ID: b40e2e6256f6a6a515d693fe4625aef3d6f7952a31154990097199285c15350b
Opcode Fuzzy Hash: cad36e7bc15630e9b1f31de005511e29bebbf0f8cb54ac8e2270116f5743bad2
Instruction Fuzzy Hash: B611AC74240705BFD7219BA5DC48F6B7FBAFBC9B65F14816AB803D6250DB71D8008A20

Function 005C2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00582B6B

Part of subcall function 00583A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00651418,?,00582E7F,?,?,?,00000000), ref: 00583A78

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00642224), ref: 005C2C10
ShellExecuteW.SHELL32(00000000,?,?,00642224), ref: 005C2C17

Strings

runas, xrefs: 005C2C0B

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 33416781acd33eb3a89e19201b833320d2a5db14e68834e2374fa18e7b055675
Instruction ID: 0b491508a2026dab3f5bf217b09a99378fb95b1cc011c18883224409e0cc26b7
Opcode Fuzzy Hash: 33416781acd33eb3a89e19201b833320d2a5db14e68834e2374fa18e7b055675
Instruction Fuzzy Hash: 341184311093436AC714FF60D85AABE7FA5BBD5751F48682DF842760A2CF218A4AC712

Function 005ED4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005ED501
Process32FirstW.KERNEL32(00000000,?), ref: 005ED50F
Process32NextW.KERNEL32(00000000,?), ref: 005ED52F
CloseHandle.KERNELBASE(00000000), ref: 005ED5DC

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2e8322b624d18a43037348916453033c92aafe4c39a76c577b747c77ea7b26d2
Instruction ID: 1d7826604e2165d56f067213e23f36bf8dc6daf364cfc23fce35e80304846c77
Opcode Fuzzy Hash: 2e8322b624d18a43037348916453033c92aafe4c39a76c577b747c77ea7b26d2
Instruction Fuzzy Hash: 623170711083419FD305EF54C885AAFBFF8BFD9354F14092EF581961A1EB719948CBA2

Function 005EDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,005C5222), ref: 005EDBCE
GetFileAttributesW.KERNELBASE(?), ref: 005EDBDD
FindFirstFileW.KERNEL32(?,?), ref: 005EDBEE
FindClose.KERNEL32(00000000), ref: 005EDBFA

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 3fe9c41fe3d6f74deb1e0f7f7b60cf4d159be8b62aae24c4d5b396d03aed0c91
Instruction ID: 1f9b8bf16723609e92d2d564fd31ad3d46e569b6300758f511f9cf2c3e34388e
Opcode Fuzzy Hash: 3fe9c41fe3d6f74deb1e0f7f7b60cf4d159be8b62aae24c4d5b396d03aed0c91
Instruction Fuzzy Hash: 22F0A73045051057C3246F789C0D4AE3B7DAE01374B248703F479C11E0EBB05D5489A6

Function 005A4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005B28E9,?,005A4CBE,005B28E9,006488B8,0000000C,005A4E15,005B28E9,00000002,00000000,?,005B28E9), ref: 005A4D09
TerminateProcess.KERNEL32(00000000,?,005A4CBE,005B28E9,006488B8,0000000C,005A4E15,005B28E9,00000002,00000000,?,005B28E9), ref: 005A4D10
ExitProcess.KERNEL32 ref: 005A4D22

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3794420d857398fcf4ca178114ab82f5790685039b12b8862d55149fb9d456c8
Instruction ID: 382c434745a515a7df674e015cfbf9665b0bfe85614e4672b5db85b5b535e306
Opcode Fuzzy Hash: 3794420d857398fcf4ca178114ab82f5790685039b12b8862d55149fb9d456c8
Instruction Fuzzy Hash: 46E0B631040548ABCF11AF94DD0AA9C7F6AFB82795B148015FD159A122DB75EE42CE80

Function 0058BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#e, xrefs: 005D07CE

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#e
API String ID: 3964851224-683758580
Opcode ID: 0bb659b4f6fdcea069d08a127e9c772e3a540942631f13d73a48591e3dfb27e6
Instruction ID: 6823ba22a244315f9b02a52eda9f1bd3f5f0fd27391bca23929509bea5e0fd88
Opcode Fuzzy Hash: 0bb659b4f6fdcea069d08a127e9c772e3a540942631f13d73a48591e3dfb27e6
Instruction Fuzzy Hash: F4A24D706083419FD724DF18C484B2ABFE1BF89304F14996EE99A9B352D771EC45CBA2

Function 0060AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0060B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0060B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0060B1D4
_wcslen.LIBCMT ref: 0060B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0060B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0060B236
_wcslen.LIBCMT ref: 0060B332

Part of subcall function 005F05A7: GetStdHandle.KERNEL32(000000F6), ref: 005F05C6

_wcslen.LIBCMT ref: 0060B34B
_wcslen.LIBCMT ref: 0060B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0060B3B6
GetLastError.KERNEL32(00000000), ref: 0060B407
CloseHandle.KERNEL32(?), ref: 0060B439
CloseHandle.KERNEL32(00000000), ref: 0060B44A
CloseHandle.KERNEL32(00000000), ref: 0060B45C
CloseHandle.KERNEL32(00000000), ref: 0060B46E
CloseHandle.KERNEL32(?), ref: 0060B4E3

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: f0583daa3c27db61159ad61b340a9c87eaf9bb2911d2326755866b0058a10b17
Instruction ID: 7220e8515eeed88c9ebd11f6a5f40cc5c09dcede3a11bb20b40d358975d22aa4
Opcode Fuzzy Hash: f0583daa3c27db61159ad61b340a9c87eaf9bb2911d2326755866b0058a10b17
Instruction Fuzzy Hash: C4F18A316442419FCB18EF24C895B6FBBE6BF85310F18845DF8959B2A2DB31EC41CB52

Function 0058D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0058D807
timeGetTime.WINMM ref: 0058DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0058DB28
TranslateMessage.USER32(?), ref: 0058DB7B
DispatchMessageW.USER32(?), ref: 0058DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0058DB9F
Sleep.KERNEL32(0000000A), ref: 0058DBB1

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 583f5bee71b8eea9945052dcb042f91b83aaaa73ad039f4706b45c0a3e64e34a
Instruction ID: fa5707d371ff4b01a9b431c0d5ee551afa547331a73305ea63fa1f6db7a52095
Opcode Fuzzy Hash: 583f5bee71b8eea9945052dcb042f91b83aaaa73ad039f4706b45c0a3e64e34a
Instruction Fuzzy Hash: 3042C070604342AFD738EF28C858BAABFF1BF95314F14895AE85597391D770E844CBA2

Function 00582CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00582D07
RegisterClassExW.USER32(00000030), ref: 00582D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00582D42
InitCommonControlsEx.COMCTL32(?), ref: 00582D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00582D6F
LoadIconW.USER32(000000A9), ref: 00582D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00582D94

Strings

AutoIt v3 GUI, xrefs: 00582D23
0, xrefs: 00582CE9
TaskbarCreated, xrefs: 00582D37
+, xrefs: 00582CF0

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9b00447ee12522577d71d42b8455da9e9ff7d3ed3a779989538c835708a9e94c
Instruction ID: 5eef7c4d45eb9a3cf2ab69df0a3095ec05c812ae80d1d0651f5ba549e918e743
Opcode Fuzzy Hash: 9b00447ee12522577d71d42b8455da9e9ff7d3ed3a779989538c835708a9e94c
Instruction Fuzzy Hash: 2821F2B5D41308AFDB00DFA4EC89BDDBBB6FB09712F04A11AF911AA2A0D7B14540CF90

Function 005C065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005C039A: CreateFileW.KERNELBASE(00000000,00000000,?,005C0704,?,?,00000000,?,005C0704,00000000,0000000C), ref: 005C03B7

GetLastError.KERNEL32 ref: 005C076F
__dosmaperr.LIBCMT ref: 005C0776
GetFileType.KERNELBASE(00000000), ref: 005C0782
GetLastError.KERNEL32 ref: 005C078C
__dosmaperr.LIBCMT ref: 005C0795
CloseHandle.KERNEL32(00000000), ref: 005C07B5
CloseHandle.KERNEL32(?), ref: 005C08FF
GetLastError.KERNEL32 ref: 005C0931
__dosmaperr.LIBCMT ref: 005C0938

Strings

H, xrefs: 005C08BD

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 021dd45b0b4acf019a1631e5744f84d91d12be3d35ca9823209358759ad83d2c
Instruction ID: 5777cbeaed1fa9b7b0b5d8badc4fda5bbbc5b9a31a21f360a0ef88c12e029037
Opcode Fuzzy Hash: 021dd45b0b4acf019a1631e5744f84d91d12be3d35ca9823209358759ad83d2c
Instruction Fuzzy Hash: 68A11136A002098FDF19EFA8DC55BAE7FA1FB46320F14515DF811AB2D1DB319912CB91

Function 0058344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00583A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00651418,?,00582E7F,?,?,?,00000000), ref: 00583A78

Part of subcall function 00583357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00583379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0058356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 005C318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005C31CE
RegCloseKey.ADVAPI32(?), ref: 005C3210
_wcslen.LIBCMT ref: 005C3277
_wcslen.LIBCMT ref: 005C3286

Strings

Include, xrefs: 005C3184, 005C31C5
Software\AutoIt v3\AutoIt, xrefs: 00583560
\Include\, xrefs: 00583527
\, xrefs: 005C328C

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 6f17c7ad83e6c0c80b9b7d87e3353d2e0d9687ba4b2524c6a47321ff10f00b6c
Instruction ID: d70d36366c81274dce692f857efca7df4a24376d0c93debe90d6d48a26eac3ef
Opcode Fuzzy Hash: 6f17c7ad83e6c0c80b9b7d87e3353d2e0d9687ba4b2524c6a47321ff10f00b6c
Instruction Fuzzy Hash: 09719E714083039EC704EF65DC969ABBFE9FF8A751F44582EF845A7160EB309A48CB52

Function 00582B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00582B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00582B9D
LoadIconW.USER32(00000063), ref: 00582BB3
LoadIconW.USER32(000000A4), ref: 00582BC5
LoadIconW.USER32(000000A2), ref: 00582BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00582BEF
RegisterClassExW.USER32(?), ref: 00582C40

Part of subcall function 00582CD4: GetSysColorBrush.USER32(0000000F), ref: 00582D07
Part of subcall function 00582CD4: RegisterClassExW.USER32(00000030), ref: 00582D31
Part of subcall function 00582CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00582D42
Part of subcall function 00582CD4: InitCommonControlsEx.COMCTL32(?), ref: 00582D5F
Part of subcall function 00582CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00582D6F
Part of subcall function 00582CD4: LoadIconW.USER32(000000A9), ref: 00582D85
Part of subcall function 00582CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00582D94

Strings

AutoIt v3, xrefs: 00582C2F
0, xrefs: 00582C0F
#, xrefs: 00582C16

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5d2033b5c2c368b466f9961d487460a9f8da2230d1c595ef6b23cb1db74c8757
Instruction ID: cb189c27d89a61826d12674bc861318db5fbf29583b348a590a28aab517f82ec
Opcode Fuzzy Hash: 5d2033b5c2c368b466f9961d487460a9f8da2230d1c595ef6b23cb1db74c8757
Instruction Fuzzy Hash: 9D215E70E40314AFDB10DFA5EC69BAD7FB6FB49B51F04615AF500AA6A0D3B10A40CF90

Function 00583170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0058316A,?,?), ref: 005831D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0058316A,?,?), ref: 00583204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00583227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0058316A,?,?), ref: 00583232
CreatePopupMenu.USER32 ref: 00583246
PostQuitMessage.USER32(00000000), ref: 00583267

Strings

TaskbarCreated, xrefs: 0058322D

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 48ae74f67624b0fd120e048d4e99d12405bc9917ba9e7507e36a58d03d1a741d
Instruction ID: 0161df47a3d8d27a9bb7930a08d09205cd644a205c486499f314a888a046ba13
Opcode Fuzzy Hash: 48ae74f67624b0fd120e048d4e99d12405bc9917ba9e7507e36a58d03d1a741d
Instruction Fuzzy Hash: E3412735240205ABDB147B78DC2DBBD3E1AF746F11F045129FD02AA1E1C7A19A41C761

Function 00581410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00581459
CoUninitialize.COMBASE ref: 005814F8
UnregisterHotKey.USER32(?), ref: 005816DD
DestroyWindow.USER32(?), ref: 005C24B9
FreeLibrary.KERNEL32(?), ref: 005C251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 005C254B

Strings

close all, xrefs: 00581454

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: be199f65fed7239f4e901db63b3874542d9b9bc01850337fc76c0a997e7f67a4
Instruction ID: fed8bb9a0b6f09fbcfe40515938bed178bdccc5ea5bcaee3d372bef8301a615f
Opcode Fuzzy Hash: be199f65fed7239f4e901db63b3874542d9b9bc01850337fc76c0a997e7f67a4
Instruction Fuzzy Hash: CBD179307016128FCB19EF55C899F69FBA9BF45710F1446ADE84ABB262DB30AC12CF54

Function 00582C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00582C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00582CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00581CAD,?), ref: 00582CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00581CAD,?), ref: 00582CCF

Strings

AutoIt v3, xrefs: 00582C89, 00582C8E, 00582C8F
edit, xrefs: 00582CAC

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: cf207025e39c0d86d3d2dc1ad347755986ebbbcefb0614e37983252362a14921
Instruction ID: 7fbd7b429cdbd3f94d60b68b4a0956ca542375893921ef6d928a4890dd95b864
Opcode Fuzzy Hash: cf207025e39c0d86d3d2dc1ad347755986ebbbcefb0614e37983252362a14921
Instruction Fuzzy Hash: 78F017755803907AEB204B23AC28FBB2EBED7C7F61F05601AF900EA1B0C2610840DAB0

Function 00583B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00583B0F,SwapMouseButtons,00000004,?), ref: 00583B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00583B0F,SwapMouseButtons,00000004,?), ref: 00583B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00583B0F,SwapMouseButtons,00000004,?), ref: 00583B83

Strings

Control Panel\Mouse, xrefs: 00583B3E

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ea6cfb983ffcbc188121144c5440bc5e14cf679728ba55670d94a00b1c1675e9
Instruction ID: 385b3950b8914bc5bf56ad54ce5e93fdc4b15abf06ee8d914bfde9c651e529a7
Opcode Fuzzy Hash: ea6cfb983ffcbc188121144c5440bc5e14cf679728ba55670d94a00b1c1675e9
Instruction Fuzzy Hash: 26112AB5510208FFDB20DFA5DC45AEEBBB9FF04B96B10885AAC05E7110E2319F409760

Function 00583923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005C33A2

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00583A04

Strings

Line: , xrefs: 005C33EB

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 803b60475e71501ad76c01b6decc4b1978145819de4e40d8f2c6d4c414dc85ce
Instruction ID: 8a89ced67267352b6d93cd6f88de2d8454d7cfba4a814c55b124bf951edb8f06
Opcode Fuzzy Hash: 803b60475e71501ad76c01b6decc4b1978145819de4e40d8f2c6d4c414dc85ce
Instruction Fuzzy Hash: 2F31E471408305AAC321FB10DC49BEF7BD8BB81B11F10492AF999A3091EF749649C7C2

Function 00582DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 005C2C8C

Part of subcall function 00583AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00583A97,?,?,00582E7F,?,?,?,00000000), ref: 00583AC2

Part of subcall function 00582DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00582DC4

Strings

`ed, xrefs: 005C2C85
X, xrefs: 005C2C5A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`ed
API String ID: 779396738-4220762877
Opcode ID: 1177d705236db378d0c4dc1374cc6ef663fdea82e8125f37c3ed36726616b388
Instruction ID: 52ad9268172b9074b8a161f28c0de841dfc1500cecd2b5b2e14b4f6ebeec7a27
Opcode Fuzzy Hash: 1177d705236db378d0c4dc1374cc6ef663fdea82e8125f37c3ed36726616b388
Instruction Fuzzy Hash: 30218171A002599FCF01EF94C849BEE7FF9BF89715F00805AE905B7241DBB45A498FA1

Function 005810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00581BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00581BF4
Part of subcall function 00581BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00581BFC
Part of subcall function 00581BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00581C07
Part of subcall function 00581BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00581C12
Part of subcall function 00581BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00581C1A
Part of subcall function 00581BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00581C22

Part of subcall function 00581B4A: RegisterWindowMessageW.USER32(00000004,?,005812C4), ref: 00581BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0058136A
OleInitialize.OLE32 ref: 00581388
CloseHandle.KERNEL32(00000000,00000000), ref: 005C24AB

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 6833e6c0b030bda0bebd3241c40c0d77e5d9f919071606db5dd28bd4ad70045f
Instruction ID: 466e18b4a68c7affe4b8fa31b0fb9c186d65e9e3a32f5c7c10de0621e049b05d
Opcode Fuzzy Hash: 6833e6c0b030bda0bebd3241c40c0d77e5d9f919071606db5dd28bd4ad70045f
Instruction Fuzzy Hash: C871BBF49113018FC784EF79A8497993EE7BB8A356F14A62AD81ADF261FB304845CF44

Function 005B86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,005B85CC,?,00648CC8,0000000C), ref: 005B8704
GetLastError.KERNEL32(?,005B85CC,?,00648CC8,0000000C), ref: 005B870E
__dosmaperr.LIBCMT ref: 005B8739

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: dc72487e7579a43a8e97b2a798bb4f979757e50fd7a5cd2c54cae9737ff77727
Instruction ID: 6c5a0deaba55fef077b157805b9e6eaa0b26d4f60304861beb08f9681f97a25d
Opcode Fuzzy Hash: dc72487e7579a43a8e97b2a798bb4f979757e50fd7a5cd2c54cae9737ff77727
Instruction Fuzzy Hash: 5601423260576016D764BB34A8497FE6F8D7BD1778F392519F8148B2D2ED61FC81C150

Function 00591310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005917F6

Strings

CALL, xrefs: 005917C6

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 63c3ab1e12e0b5273d3710b2d0fe9054f2107af2425ccaebead10ab4a2cfc137
Instruction ID: c56742394416f03821cd86b74322fc770cb1a098532f6e8400c2796e941fb71c
Opcode Fuzzy Hash: 63c3ab1e12e0b5273d3710b2d0fe9054f2107af2425ccaebead10ab4a2cfc137
Instruction Fuzzy Hash: C2228B706087129FCB14DF18C484A2ABFF1BF89354F19895EF4968B3A2D731E845CB96

Function 00583837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00583908

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 3c13a9329e6d3822526f36e7d0f503175242f6766df92565466a2c39856c0cad
Instruction ID: b479db9a6ba2c375242703adea12e97d17af274fbc704fe47fc7a8093ff43de4
Opcode Fuzzy Hash: 3c13a9329e6d3822526f36e7d0f503175242f6766df92565466a2c39856c0cad
Instruction Fuzzy Hash: 1D3191706053019FD720EF64D89579BBFE8FB49B09F00092EF99AA7250E771AA44CF52

Function 00584ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00584E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00584EDD,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584E9C
Part of subcall function 00584E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00584EAE
Part of subcall function 00584E90: FreeLibrary.KERNEL32(00000000,?,?,00584EDD,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584EFD

Part of subcall function 00584E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,005C3CDE,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584E62
Part of subcall function 00584E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00584E74
Part of subcall function 00584E59: FreeLibrary.KERNEL32(00000000,?,?,005C3CDE,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584E87

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: db7c82177b1d80f09aeb0e5e6bc370770d4927aecb4b9b93a3ae3e464c34a13b
Instruction ID: 5b66b45c06cdecb54785fffa7cfd3e201beabac932645c593d3f8d0b8261bd13
Opcode Fuzzy Hash: db7c82177b1d80f09aeb0e5e6bc370770d4927aecb4b9b93a3ae3e464c34a13b
Instruction Fuzzy Hash: 8511C431640207AACB14BB60D80AFAD7FA5BF80714F10842EFD42B62D1EE709E459B50

Function 005B8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 005B8440

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: dcf11af2256ab4e96c5d3428c4c39ec5a7691a4b82b7b4156cff62948437954a
Instruction ID: e0bf300b80cb60a18fdc2d51d3fab9015ff687711c8d7964909c970b7fce748f
Opcode Fuzzy Hash: dcf11af2256ab4e96c5d3428c4c39ec5a7691a4b82b7b4156cff62948437954a
Instruction Fuzzy Hash: C811187590420AAFCF05DF58E945AEA7BF9FF48314F144059FC08AB312DA31EA11CBA5

Function 005AE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: a0444b00ea7ee91f8cd429178e8f7274adcaa71d5f8b245dce02478e19abf03b
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: A4F0D632510A159AD6313A65AC0EB9E3F9CBF93370F100F15F425931D2DB70A8018AB5

Function 005B3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00651444,?,0059FDF5,?,?,0058A976,00000010,00651440,005813FC,?,005813C6,?,00581129), ref: 005B3852

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 67e3c5da7b547b25e54a4266e791d7579402c932294848696a786bcb4b80f537
Instruction ID: 2bcd6d0c508733aeca064fb3a8c43826629b3ac88f81320907022e484ed0ba86
Opcode Fuzzy Hash: 67e3c5da7b547b25e54a4266e791d7579402c932294848696a786bcb4b80f537
Instruction Fuzzy Hash: 04E0E53114222566D72126AA9C05BDE3E49BF837B0F060031BC04B6590DB50FD0186E3

Function 00584F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584F6D

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 728b36726fff80c6ed4169f989a83993506fe4f60a0b05dd06270620e473c048
Instruction ID: 3185740d2916e7d8662671992f078cd0b8458241b3f859f9e28e3a6c2e93c33c
Opcode Fuzzy Hash: 728b36726fff80c6ed4169f989a83993506fe4f60a0b05dd06270620e473c048
Instruction Fuzzy Hash: A2F01571105792CFDB34AF64E494826BBE4BF143293258E6EEAEA92621C7319844DF10

Function 005830F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0058314E

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 15425eabeb42fee4fe9ab6373e8c6882111643a8b922d29d770ac931108e7322
Instruction ID: e444fe7ee18cc52d7509d76a7fceb6bca72bff31a9ffa703957e0e814b44b521
Opcode Fuzzy Hash: 15425eabeb42fee4fe9ab6373e8c6882111643a8b922d29d770ac931108e7322
Instruction Fuzzy Hash: 97F037709143189FEB52DB24DC4A7D97BFCB702708F0410E5A64896191D7745788CF51

Function 00582DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00582DC4

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 87cc12c3c0e99c64f0eb06b90598ebe7533794606cdcb2e8445336717508db0e
Instruction ID: 01497164bd4fa92cfcc46c20c20ce355728872ef9736cb3c481c6694f9cac36f
Opcode Fuzzy Hash: 87cc12c3c0e99c64f0eb06b90598ebe7533794606cdcb2e8445336717508db0e
Instruction Fuzzy Hash: 41E0CD726002245BC710A2989C09FDA77DDEFC8790F044075FD09E7248D970ED808650

Function 00582B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00583837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00583908

Part of subcall function 0058D730: GetInputState.USER32 ref: 0058D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00582B6B

Part of subcall function 005830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0058314E

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 4230fd488cdddad0a265c0b1054ffcb9120b324bd6d37394c7db7336078c091f
Instruction ID: ddd3343feaba8c4d0d47aea50f626be5649a9335901c19ebdfd109102893a3c6
Opcode Fuzzy Hash: 4230fd488cdddad0a265c0b1054ffcb9120b324bd6d37394c7db7336078c091f
Instruction Fuzzy Hash: 16E0263130120606CB04BB30A81A6BDBF9ABBD2752F00253EFC42A71A2CE204A494312

Function 005C039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,005C0704,?,?,00000000,?,005C0704,00000000,0000000C), ref: 005C03B7

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6d43650bc6d9d3065cad9b1766e6b0dc6853de7d869794f9a766e1f5fb245a89
Instruction ID: ff84fe17a456e8673d3ebb581cee05b4ebe3ca756e471c994f49e7a6bdb8efd5
Opcode Fuzzy Hash: 6d43650bc6d9d3065cad9b1766e6b0dc6853de7d869794f9a766e1f5fb245a89
Instruction Fuzzy Hash: 18D06C3208010DBBDF028F84DD06EDA3BAAFB48714F018000BE1856020C732E821AB90

Function 00581CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00581CBC

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 3b627f5b8a4776ec1a0e55772062209a33e36dfe42f76b64461205b0de443136
Instruction ID: 4a643fe5b2d2c7f337bfe960e83413bb83112a9608bbe96280db61247e97f6a2
Opcode Fuzzy Hash: 3b627f5b8a4776ec1a0e55772062209a33e36dfe42f76b64461205b0de443136
Instruction Fuzzy Hash: 9BC092362C0305AFF315CB80BC6AF547767A349B12F08A402F609A95F3D3A22830EA50

Non-executed Functions

Function 00619576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0061961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0061965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0061969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006196C9
SendMessageW.USER32 ref: 006196F2
GetKeyState.USER32(00000011), ref: 0061978B
GetKeyState.USER32(00000009), ref: 00619798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006197AE
GetKeyState.USER32(00000010), ref: 006197B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006197E9
SendMessageW.USER32 ref: 00619810
SendMessageW.USER32(?,00001030,?,00617E95), ref: 00619918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0061992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00619941
SetCapture.USER32(?), ref: 0061994A
ClientToScreen.USER32(?,?), ref: 006199AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006199BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006199D6
ReleaseCapture.USER32 ref: 006199E1
GetCursorPos.USER32(?), ref: 00619A19
ScreenToClient.USER32(?,?), ref: 00619A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00619A80
SendMessageW.USER32 ref: 00619AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00619AEB
SendMessageW.USER32 ref: 00619B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00619B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00619B4A
GetCursorPos.USER32(?), ref: 00619B68
ScreenToClient.USER32(?,?), ref: 00619B75
GetParent.USER32(?), ref: 00619B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00619BFA
SendMessageW.USER32 ref: 00619C2B
ClientToScreen.USER32(?,?), ref: 00619C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00619CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00619CDE
SendMessageW.USER32 ref: 00619D01
ClientToScreen.USER32(?,?), ref: 00619D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00619D82

Part of subcall function 00599944: GetWindowLongW.USER32(?,000000EB), ref: 00599952

GetWindowLongW.USER32(?,000000F0), ref: 00619E05

Strings

@GUI_DRAGID, xrefs: 0061997D
p#e, xrefs: 00619990
F, xrefs: 00619D07

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#e
API String ID: 3429851547-3604025434
Opcode ID: 005b339e550cc9e5134e0e56713855dd29a0395bcf4e68a1e50d2004105abac2
Instruction ID: a4bcae6ebff7d29014eb30cf77b1e86a3348197b82183bc4a70c879bb6247c9e
Opcode Fuzzy Hash: 005b339e550cc9e5134e0e56713855dd29a0395bcf4e68a1e50d2004105abac2
Instruction Fuzzy Hash: 56427E74604241EFE724CF24CC54BEABBF6FF89320F184619F699972A1D7319891CBA1

Function 00614873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 006148F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00614908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00614927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0061494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0061495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0061497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 006149AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 006149D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00614A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00614A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00614A7E
IsMenu.USER32(?), ref: 00614A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00614AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00614B20
GetWindowLongW.USER32(?,000000F0), ref: 00614B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00614BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00614C82
wsprintfW.USER32 ref: 00614CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00614CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00614CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00614D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00614D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00614D5A

Strings

%d/%02d/%02d, xrefs: 00614CA8

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 3632ef5e93b5f4f724b74ff13fb1f7af8289e27f25f6e15ce9534089ce24c508
Instruction ID: ddf598739a229b722288ad119daa978fd27585865c08255feb7cd65ba6870dc6
Opcode Fuzzy Hash: 3632ef5e93b5f4f724b74ff13fb1f7af8289e27f25f6e15ce9534089ce24c508
Instruction Fuzzy Hash: 4612EF71600255AFEB248F28CC49FEE7BBAAF85710F18412AF515EB2A1DB749981CB50

Function 0059F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0059F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005DF474
IsIconic.USER32(00000000), ref: 005DF47D
ShowWindow.USER32(00000000,00000009), ref: 005DF48A
SetForegroundWindow.USER32(00000000), ref: 005DF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005DF4AA
GetCurrentThreadId.KERNEL32 ref: 005DF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005DF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 005DF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 005DF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 005DF4DE
SetForegroundWindow.USER32(00000000), ref: 005DF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 005DF4F6
keybd_event.USER32(00000012,00000000), ref: 005DF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 005DF50B
keybd_event.USER32(00000012,00000000), ref: 005DF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 005DF519
keybd_event.USER32(00000012,00000000), ref: 005DF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 005DF528
keybd_event.USER32(00000012,00000000), ref: 005DF52D
SetForegroundWindow.USER32(00000000), ref: 005DF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 005DF557

Strings

Shell_TrayWnd, xrefs: 005DF46F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 3f401dc89b28c1ceb5276dba5671682eb6fb7e5fc16040678b61160adc12c615
Instruction ID: 276eb1b277b9b87a2b951f11aeac4ee9458ee4596756ae501c9b3a1154772691
Opcode Fuzzy Hash: 3f401dc89b28c1ceb5276dba5671682eb6fb7e5fc16040678b61160adc12c615
Instruction Fuzzy Hash: 12315271A80218BBEB316BB55C4AFBF7E6EEB44B60F145427F601E61D1C6B05D10ABA0

Function 005E1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005E170D
Part of subcall function 005E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005E173A
Part of subcall function 005E16C3: GetLastError.KERNEL32 ref: 005E174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 005E1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005E12A8
CloseHandle.KERNEL32(?), ref: 005E12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005E12D1
GetProcessWindowStation.USER32 ref: 005E12EA
SetProcessWindowStation.USER32(00000000), ref: 005E12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 005E1310

Part of subcall function 005E10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005E11FC), ref: 005E10D4
Part of subcall function 005E10BF: CloseHandle.KERNEL32(?,?,005E11FC), ref: 005E10E9

Strings

default, xrefs: 005E130B
, xrefs: 005E125A
Zd, xrefs: 005E1392
winsta0, xrefs: 005E12CC

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zd
API String ID: 22674027-3105207005
Opcode ID: 809e5298d4e9aca147f06a829a67313efc4b05703860c334cbfb185c7dc771ac
Instruction ID: 2f21efa78bbefccdfefcab53927a0f6831206f613dd6d2cbc5e9e7191eb0e76b
Opcode Fuzzy Hash: 809e5298d4e9aca147f06a829a67313efc4b05703860c334cbfb185c7dc771ac
Instruction Fuzzy Hash: AA81D071900689AFDF248FA5CC49FEE7FBAFF04700F18812AF951A62A0D7718944CB64

Function 005E0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005E1114
Part of subcall function 005E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E1120
Part of subcall function 005E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E112F
Part of subcall function 005E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E1136
Part of subcall function 005E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005E114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005E0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005E0C00
GetLengthSid.ADVAPI32(?), ref: 005E0C17
GetAce.ADVAPI32(?,00000000,?), ref: 005E0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005E0C6D
GetLengthSid.ADVAPI32(?), ref: 005E0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 005E0C8C
HeapAlloc.KERNEL32(00000000), ref: 005E0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 005E0CB4
CopySid.ADVAPI32(00000000), ref: 005E0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005E0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005E0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 005E0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E0D45
HeapFree.KERNEL32(00000000), ref: 005E0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E0D55
HeapFree.KERNEL32(00000000), ref: 005E0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E0D65
HeapFree.KERNEL32(00000000), ref: 005E0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 005E0D78
HeapFree.KERNEL32(00000000), ref: 005E0D7F

Part of subcall function 005E1193: GetProcessHeap.KERNEL32(00000008,005E0BB1,?,00000000,?,005E0BB1,?), ref: 005E11A1
Part of subcall function 005E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,005E0BB1,?), ref: 005E11A8
Part of subcall function 005E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,005E0BB1,?), ref: 005E11B7

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 201909aac453e785b81d086f121911338f6e0243d9209daef81584f9b9abfb12
Instruction ID: c7de645d4e925f6c476b927d133dc06da941d938fd50834da5c6311d50534256
Opcode Fuzzy Hash: 201909aac453e785b81d086f121911338f6e0243d9209daef81584f9b9abfb12
Instruction Fuzzy Hash: 2E71BB7290024AEBDF14DFA5DD48FEEBBB9FF08310F089116E944A7190D7B5AA41CB60

Function 005FEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0061CC08), ref: 005FEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 005FEB37
GetClipboardData.USER32(0000000D), ref: 005FEB43
CloseClipboard.USER32 ref: 005FEB4F
GlobalLock.KERNEL32(00000000), ref: 005FEB87
CloseClipboard.USER32 ref: 005FEB91
GlobalUnlock.KERNEL32(00000000), ref: 005FEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 005FEBC9
GetClipboardData.USER32(00000001), ref: 005FEBD1
GlobalLock.KERNEL32(00000000), ref: 005FEBE2
GlobalUnlock.KERNEL32(00000000), ref: 005FEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 005FEC38
GetClipboardData.USER32(0000000F), ref: 005FEC44
GlobalLock.KERNEL32(00000000), ref: 005FEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 005FEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 005FEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 005FECD2
GlobalUnlock.KERNEL32(00000000), ref: 005FECF3
CountClipboardFormats.USER32 ref: 005FED14
CloseClipboard.USER32 ref: 005FED59

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 544c59230d4481d6b4822d5c5cd89f5294ba58bf531b8888ab09fad752796a33
Instruction ID: 188b5aee2f2d82af9bbf79e34822412a3c1236bc6db5080b085952655bfe7f0f
Opcode Fuzzy Hash: 544c59230d4481d6b4822d5c5cd89f5294ba58bf531b8888ab09fad752796a33
Instruction Fuzzy Hash: 8F61BE342442069FD300EF24C88AF7A7BA5BF84714F18955EF986972B1CB35DD06CBA2

Function 005F698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005F69BE
FindClose.KERNEL32(00000000), ref: 005F6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005F6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005F6A75

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 005F6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 005F6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 005F6B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 005F6B32
%03d, xrefs: 005F6DA2
%02d, xrefs: 005F6C00, 005F6C0A, 005F6C5A, 005F6CAA, 005F6CFA, 005F6D4A
%4d, xrefs: 005F6BB1

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 1a279bd803471cad75df1ac528661e9d68704a18d27c8879ddb0735efb5a507e
Instruction ID: 48bd5cfc4304d6f2807d9e622d8b8d917e5a38941462199503561bac8bca6301
Opcode Fuzzy Hash: 1a279bd803471cad75df1ac528661e9d68704a18d27c8879ddb0735efb5a507e
Instruction Fuzzy Hash: CED13072508305AAD710EB64C886EBFBBECBF98704F044919FA85D6191EB74DA44CB62

Function 005F9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 005F9663
GetFileAttributesW.KERNEL32(?), ref: 005F96A1
SetFileAttributesW.KERNEL32(?,?), ref: 005F96BB
FindNextFileW.KERNEL32(00000000,?), ref: 005F96D3
FindClose.KERNEL32(00000000), ref: 005F96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005F96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 005F974A
SetCurrentDirectoryW.KERNEL32(00646B7C), ref: 005F9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 005F9772
FindClose.KERNEL32(00000000), ref: 005F977F
FindClose.KERNEL32(00000000), ref: 005F978F

Strings

*.*, xrefs: 005F96F5

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 284577d37bca5a52a38d6ad2570d6a90f0fc2d7574579c4bd745b6341bb9041c
Instruction ID: c0200c8c56ae6e681dd92c51f1c23b14ef6394a8ded856242767a747a21c4401
Opcode Fuzzy Hash: 284577d37bca5a52a38d6ad2570d6a90f0fc2d7574579c4bd745b6341bb9041c
Instruction Fuzzy Hash: 0931C33254161E6FDB10AFB4DC08BEE7BADEF4A321F148156FA15E2090EB38DE448A54

Function 005F979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 005F97BE
FindNextFileW.KERNEL32(00000000,?), ref: 005F9819
FindClose.KERNEL32(00000000), ref: 005F9824
FindFirstFileW.KERNEL32(*.*,?), ref: 005F9840
SetCurrentDirectoryW.KERNEL32(?), ref: 005F9890
SetCurrentDirectoryW.KERNEL32(00646B7C), ref: 005F98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005F98B8
FindClose.KERNEL32(00000000), ref: 005F98C5
FindClose.KERNEL32(00000000), ref: 005F98D5

Part of subcall function 005EDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005EDB00

Strings

*.*, xrefs: 005F983B

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 734cd4a04790a22bedb360babcd05d946e21836da1e29bdb530408932d83f6fe
Instruction ID: f5455ff22ec9218bbd9e6f8fcdfcc2711524495936699fac72f809fb416bf51a
Opcode Fuzzy Hash: 734cd4a04790a22bedb360babcd05d946e21836da1e29bdb530408932d83f6fe
Instruction Fuzzy Hash: D031C331540A1E6EDB10AFB4DC48BEE7BADFF46370F148156FA10E2190DB74DE958A60

Function 0060BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0060C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060B6AE,?,?), ref: 0060C9B5
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060C9F1
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA68
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0060BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0060BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0060BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0060C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0060C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0060C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0060C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0060C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0060C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0060C382
RegCloseKey.ADVAPI32(00000000), ref: 0060C38F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 1db5a608024875e7d758d81a314bdbb467d1bbbaf9da4215ba30c6926b8eb87c
Instruction ID: 1b1cf6af27ab470de411a2d0f18daf7ffdeb2c9f196c4724a04008d4862e19f8
Opcode Fuzzy Hash: 1db5a608024875e7d758d81a314bdbb467d1bbbaf9da4215ba30c6926b8eb87c
Instruction Fuzzy Hash: 77025B706042019FC718DF24C895A6ABBE6FF89318F18C59DE84ADB2A2DB31ED45CB51

Function 005F8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005F8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 005F8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005F8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005F8310
SetCurrentDirectoryW.KERNEL32(?), ref: 005F8324
SetCurrentDirectoryW.KERNEL32(?), ref: 005F8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005F838C
SetCurrentDirectoryW.KERNEL32(?), ref: 005F8395

Strings

*.*, xrefs: 005F839B

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: f985b0bf4c4b4fb7ceeb87921f25e5ba469dc24654071ccc956e7c16eec37b3b
Instruction ID: c937060db384f7707c344fd504566f9662f371a6d49f8b6d87ad61895a8da209
Opcode Fuzzy Hash: f985b0bf4c4b4fb7ceeb87921f25e5ba469dc24654071ccc956e7c16eec37b3b
Instruction Fuzzy Hash: A6618D7250430A9FD710EF60C8449AFBBE9FF89310F04891EFA9997251EB35E945CB92

Function 005ED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00583AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00583A97,?,?,00582E7F,?,?,?,00000000), ref: 00583AC2

Part of subcall function 005EE199: GetFileAttributesW.KERNEL32(?,005ECF95), ref: 005EE19A

FindFirstFileW.KERNEL32(?,?), ref: 005ED122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 005ED1DD
MoveFileW.KERNEL32(?,?), ref: 005ED1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 005ED20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 005ED237

Part of subcall function 005ED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,005ED21C,?,?), ref: 005ED2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 005ED253
FindClose.KERNEL32(00000000), ref: 005ED264

Strings

\*.*, xrefs: 005ED0CD, 005ED0D6, 005ED0EB

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: af7d1662e8e70c8818d6411382bf769b027b8b5363a252b4e2ed235c42ac51b1
Instruction ID: 840911668559d9eed0e4abe78123590b36918568cc7da05977cb8fc06bc7e18a
Opcode Fuzzy Hash: af7d1662e8e70c8818d6411382bf769b027b8b5363a252b4e2ed235c42ac51b1
Instruction Fuzzy Hash: 45613A3180514EABCF09EBE1CA969FDBBB5BF95300F248165E84277191EB316F09CB61

Function 005FED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 005FED91
EmptyClipboard.USER32 ref: 005FED97
GlobalAlloc.KERNEL32(00000002,?), ref: 005FEDAC
CloseClipboard.USER32 ref: 005FEEA3

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f2f63d619d78ce203f632e1e42fdb7e3a99a675a594a12ef74c9931462ac94f0
Instruction ID: 7e66d29193239e48288cfb7bbe748929237e95e9617bca7e2e98feda496d825d
Opcode Fuzzy Hash: f2f63d619d78ce203f632e1e42fdb7e3a99a675a594a12ef74c9931462ac94f0
Instruction Fuzzy Hash: F741BD31204211AFE720DF15E889B69BFE6FF44328F18C499E5158BA72C739ED41CB90

Function 005EE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005E170D
Part of subcall function 005E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005E173A
Part of subcall function 005E16C3: GetLastError.KERNEL32 ref: 005E174A

ExitWindowsEx.USER32(?,00000000), ref: 005EE932

Strings

SeShutdownPrivilege, xrefs: 005EE902
, xrefs: 005EE920
, xrefs: 005EE95C
@, xrefs: 005EE925

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 01b7af787589faab982a601b9e309e0b360dddaac12726aa15380e9df2f76532
Instruction ID: 607a2a5fe554f9d4c7d106d130c4ae94a0e6931d901c517b112ddce9dc66ced1
Opcode Fuzzy Hash: 01b7af787589faab982a601b9e309e0b360dddaac12726aa15380e9df2f76532
Instruction Fuzzy Hash: AD012B72620252ABEB1C62B69C8BFFF7A9DB704750F154822F882E31D3D5A09C4481A4

Function 00601204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00601276
WSAGetLastError.WSOCK32 ref: 00601283
bind.WSOCK32(00000000,?,00000010), ref: 006012BA
WSAGetLastError.WSOCK32 ref: 006012C5
closesocket.WSOCK32(00000000), ref: 006012F4
listen.WSOCK32(00000000,00000005), ref: 00601303
WSAGetLastError.WSOCK32 ref: 0060130D
closesocket.WSOCK32(00000000), ref: 0060133C

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 13dabd180337bcf8141dd7c4b93a480433954c48657cb0cb97c540414b43483b
Instruction ID: 89ab2a6499acb10802d2379ebaa067e00d2255ebe15f1dab3549318c7eacd33a
Opcode Fuzzy Hash: 13dabd180337bcf8141dd7c4b93a480433954c48657cb0cb97c540414b43483b
Instruction Fuzzy Hash: 1341A3316401009FD714DF68C498B6ABBE6BF86328F188089E8569F3D2C771ED81CBE0

Function 005BB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005BB9D4
_free.LIBCMT ref: 005BB9F8
_free.LIBCMT ref: 005BBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00623700), ref: 005BBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0065121C,000000FF,00000000,0000003F,00000000,?,?), ref: 005BBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00651270,000000FF,?,0000003F,00000000,?), ref: 005BBC36
_free.LIBCMT ref: 005BBD4B

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 839a75171226a780da6921b48f4f1d1e5c24d4d7b1f39e5bdc85219cded492ab
Instruction ID: da777104ad2862662764985b8c1f0adb3fe4cdd62c4127ebc29724bf167afffa
Opcode Fuzzy Hash: 839a75171226a780da6921b48f4f1d1e5c24d4d7b1f39e5bdc85219cded492ab
Instruction Fuzzy Hash: 03C1F771904206AFEB20DF698C55BEE7FB9FF82310F14459AE4949B251EBF0AE41C750

Function 005ED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00583AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00583A97,?,?,00582E7F,?,?,?,00000000), ref: 00583AC2

Part of subcall function 005EE199: GetFileAttributesW.KERNEL32(?,005ECF95), ref: 005EE19A

FindFirstFileW.KERNEL32(?,?), ref: 005ED420
DeleteFileW.KERNEL32(?,?,?,?), ref: 005ED470
FindNextFileW.KERNEL32(00000000,00000010), ref: 005ED481
FindClose.KERNEL32(00000000), ref: 005ED498
FindClose.KERNEL32(00000000), ref: 005ED4A1

Strings

\*.*, xrefs: 005ED3F2

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: bddce30d4decbac72c557fe0d649a045fdcc16b4537f478cb20e10939e067d65
Instruction ID: 0ca7b25a280e9be6dd201dc8b8ede6bdc470e07dea93727ba38b4eb06b07df6a
Opcode Fuzzy Hash: bddce30d4decbac72c557fe0d649a045fdcc16b4537f478cb20e10939e067d65
Instruction Fuzzy Hash: 6E3141710083869BC705FF64D8558AF7BA8BEE5314F444E1EF8D1A2191EB74AA09CB63

Function 005BE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 005BE645

Strings

1#IND, xrefs: 005BF83D
1#SNAN, xrefs: 005BF844
1#QNAN, xrefs: 005BF84B
1#INF, xrefs: 005BF852

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ddcebba00323013182a80e126023b9e8fb4195b1ed1a435e2cdd9662a3fda1e9
Instruction ID: e4fd63280c89030dbf1c5529a34bd23abe49cf64fc010a3f1cd2c16684e3a0f2
Opcode Fuzzy Hash: ddcebba00323013182a80e126023b9e8fb4195b1ed1a435e2cdd9662a3fda1e9
Instruction Fuzzy Hash: 6DC24B71E086298FDB25CE28DD457EABBB5FB45304F1845EAD40EE7241E774AE818F40

Function 005F648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005F64DC
CoInitialize.OLE32(00000000), ref: 005F6639
CoCreateInstance.OLE32(0061FCF8,00000000,00000001,0061FB68,?), ref: 005F6650
CoUninitialize.OLE32 ref: 005F68D4

Strings

.lnk, xrefs: 005F64BA, 005F6524, 005F65E0

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: c1846a9adde095b8f5532419156fb68e7482e621a3851bdeea8c35c9e7b2eae1
Instruction ID: c063cc883c9e13cdcf384d00d5028f3c27be0c83a7ad6aa1367ad567dd36c587
Opcode Fuzzy Hash: c1846a9adde095b8f5532419156fb68e7482e621a3851bdeea8c35c9e7b2eae1
Instruction Fuzzy Hash: B0D16A71508206AFD304EF24C88596BBBE9FFD8304F54492DF595AB291EB70ED05CBA2

Function 006022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 006022E8

Part of subcall function 005FE4EC: GetWindowRect.USER32(?,?), ref: 005FE504

GetDesktopWindow.USER32 ref: 00602312
GetWindowRect.USER32(00000000), ref: 00602319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00602355
GetCursorPos.USER32(?), ref: 00602381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006023DF

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 5f1688d8391dcf9124316cb2498ddc4576955932747a9819a260c999cf055a43
Instruction ID: ab1b316dac8c5dd020aa2cb49b132e9f1e01473a97ea49c9bb955182e91fd483
Opcode Fuzzy Hash: 5f1688d8391dcf9124316cb2498ddc4576955932747a9819a260c999cf055a43
Instruction Fuzzy Hash: 8531D072544316AFC728DF14C849B9BBBAAFFC4320F00491AF98597291DB34E908CB92

Function 005F9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 005F9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 005F9C8B

Part of subcall function 005F3874: GetInputState.USER32 ref: 005F38CB
Part of subcall function 005F3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005F3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 005F9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 005F9C75

Strings

*.*, xrefs: 005F9B5D

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: a5eb7bdcb32364771e5271a639251bf791c312922691566638a794cef431b654
Instruction ID: d75bb9764ecb1e9f1d95ea677de287a438a4e31c61db24669c5ff5b8d505d7a5
Opcode Fuzzy Hash: a5eb7bdcb32364771e5271a639251bf791c312922691566638a794cef431b654
Instruction Fuzzy Hash: 7E415A7194460EABDF14EFA4C889BEEBFB9FF45310F244056E905A2191EB349E84CF60

Function 0059997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00599A4E
GetSysColor.USER32(0000000F), ref: 00599B23
SetBkColor.GDI32(?,00000000), ref: 00599B36

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 46562560f825d0924ad2a586cd0125faacff4a91f782fc7355af54d5b3316b33
Instruction ID: 08240b040efd1de68abeb04b18874a78850b4e122485a3c835e4f6df2de44881
Opcode Fuzzy Hash: 46562560f825d0924ad2a586cd0125faacff4a91f782fc7355af54d5b3316b33
Instruction Fuzzy Hash: 89A1E870108548BFEF389A2C8C59EBF2E9EFB8A340F14450FF512D6691DA259D41D276

Function 00601806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0060304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0060307A
Part of subcall function 0060304E: _wcslen.LIBCMT ref: 0060309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0060185D
WSAGetLastError.WSOCK32 ref: 00601884
bind.WSOCK32(00000000,?,00000010), ref: 006018DB
WSAGetLastError.WSOCK32 ref: 006018E6
closesocket.WSOCK32(00000000), ref: 00601915

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0d1c8e975284087ebc5805624ac49f81861310c20c8045f1f7254fcb7d7f8969
Instruction ID: 981795c9d25d0484b300e6b4c49b92ab91b2abe8fbfd718381c7a13df3b9fdc0
Opcode Fuzzy Hash: 0d1c8e975284087ebc5805624ac49f81861310c20c8045f1f7254fcb7d7f8969
Instruction Fuzzy Hash: 7A51C871A402009FEB14AF24C88AF6A7BE6AF85718F18C458F9156F3C3D771AD41C7A1

Function 00611C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00611CC0
IsWindowEnabled.USER32 ref: 00611CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00611CDB
IsIconic.USER32 ref: 00611CE9
IsZoomed.USER32 ref: 00611CF7

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: fd93b375d296342b858368585f756b628655a987f575d9e7ade84c58c1bf2daa
Instruction ID: 6acf43392ae5c07a44199a09976ce1251adc6c72df586195a38ab62072b2893f
Opcode Fuzzy Hash: fd93b375d296342b858368585f756b628655a987f575d9e7ade84c58c1bf2daa
Instruction Fuzzy Hash: 072191317802115FD7209F2AD854BEA7BA6AF86324B1D8059E9468F351CB75DC82CBD4

Function 00588060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0058813C
VUUU, xrefs: 005883FA
VUUU, xrefs: 0058843C
VUUU, xrefs: 005C5DF0
VUUU, xrefs: 005883E8

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 2ff76a2681b1d79c1ac3de2a3e3db3551d6438b67ba95db95c8ce2d866d3ede9
Instruction ID: 491027f652670556e8485ee690435c0581eb20c20a4bdd4d95c174cfb47dfc76
Opcode Fuzzy Hash: 2ff76a2681b1d79c1ac3de2a3e3db3551d6438b67ba95db95c8ce2d866d3ede9
Instruction Fuzzy Hash: 52A26D75A0061ACFDF24DF98C844BBDBBB1FB54314F6485A9DC15A7281EB70AE81CB90

Function 005E8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005E82AA

Strings

(, xrefs: 005E82F0
|, xrefs: 005E82DA
tbd, xrefs: 005E84F4

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbd$|
API String ID: 1659193697-2281384303
Opcode ID: 7e998bbf956559616f5752ec9f00a7b08e3041103313fb490df3528f0e47a7c5
Instruction ID: 36687b1695dda47d4f5f19ab276600f8fdeccfae298dbf81d885f57af7ea6da6
Opcode Fuzzy Hash: 7e998bbf956559616f5752ec9f00a7b08e3041103313fb490df3528f0e47a7c5
Instruction Fuzzy Hash: 83323675A007459FCB28CF59C481A6ABBF1FF48710B15C96EE49ADB3A1EB70E941CB40

Function 005EAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 005EAAAC
SetKeyboardState.USER32(00000080), ref: 005EAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 005EAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 005EAB88

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8def8d29e86e611e94414bb2dcdd092de85fcd2bb1d5ae9ff355193c1132eec3
Instruction ID: 1ba267bee0fc2a2be7a6968f1ea42a35ae44203f3c3e4fadc758e1f84e745538
Opcode Fuzzy Hash: 8def8d29e86e611e94414bb2dcdd092de85fcd2bb1d5ae9ff355193c1132eec3
Instruction Fuzzy Hash: E9310B30A40388AEFB398B768C05BFA7FAFBB54310F08421AE1C1961D1D774A985C752

Function 005FCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 005FCE89
GetLastError.KERNEL32(?,00000000), ref: 005FCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 005FCEFE

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 0e57d7be7a0e518f775bd5f854976b85f17ba08eabab43d73b27cd8e2c839af7
Instruction ID: cf83f68e24155864b6ce8ce86c2136c50ea2800173a4301536b92d9d07bffd4b
Opcode Fuzzy Hash: 0e57d7be7a0e518f775bd5f854976b85f17ba08eabab43d73b27cd8e2c839af7
Instruction Fuzzy Hash: CA21AC7154030D9BDB21DF65CA48BAABFFDFF41314F10882AE74692151E778EA048B60

Function 005F5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005F5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 005F5D17
FindClose.KERNEL32(?), ref: 005F5D5F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b0b6cc3e19f41483e1607cdd274e51190fdf28ffb3950842b999b323b182443c
Instruction ID: ed7c4d3dd7285a2a1fab95a219b27f1015e237dc69d21ff389b73028c23f5cea
Opcode Fuzzy Hash: b0b6cc3e19f41483e1607cdd274e51190fdf28ffb3950842b999b323b182443c
Instruction Fuzzy Hash: CF519D746046069FC714DF28C498EAABBE4FF49324F14855EEA5ACB3A1DB34ED04CB91

Function 005B2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 005B271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005B2724
UnhandledExceptionFilter.KERNEL32(?), ref: 005B2731

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 15097454d037fffe52403947aa3aa88bff2a8185e43341a3ff019ad27f7656ff
Instruction ID: 0d04ebe54bdd74f41b2a9d8fe1856e587b5b06ae0793439f4337a4e35233ea2b
Opcode Fuzzy Hash: 15097454d037fffe52403947aa3aa88bff2a8185e43341a3ff019ad27f7656ff
Instruction Fuzzy Hash: A631D374951219ABCB21DF68DC897DCBBB8BF08310F5051EAE81CA7260EB309F818F54

Function 005F51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005F51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 005F5238
SetErrorMode.KERNEL32(00000000), ref: 005F52A1

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 73d3ade5fce315a026fc3a43ead4e8d789131517cf8f366341f5cb81734f7017
Instruction ID: 09e3331569ff23419a08b003f6436190c985690e3a12984ecfee85f1bcca4096
Opcode Fuzzy Hash: 73d3ade5fce315a026fc3a43ead4e8d789131517cf8f366341f5cb81734f7017
Instruction Fuzzy Hash: A5315E75A00519DFDB00EF54D888EADBFB5FF49318F088099E905AB362DB35E855CBA0

Function 005E16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0059FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 005A0668
Part of subcall function 0059FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 005A0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005E170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005E173A
GetLastError.KERNEL32 ref: 005E174A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c5b0afca9e8f650442843075d4343d6acb8adb6526a7e74d6412b9650e4116d6
Instruction ID: 318340333c1ec3de8c02813f6841c4cd9f6332c174df27aa8cdf2f52abadc808
Opcode Fuzzy Hash: c5b0afca9e8f650442843075d4343d6acb8adb6526a7e74d6412b9650e4116d6
Instruction Fuzzy Hash: 2411C1B2410305AFD718DF54DC86DAABBB9FB44724B24852EE09697641EB70BC41CB24

Function 005ED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005ED608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 005ED645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005ED650

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: acef2714d5d5c96e4a7a6e59448b39fb1153ab050bf33152c696f31641a95f2c
Instruction ID: e036f8c96553ea7d9bc7b5d86e0d2c04437cf445a5d64c8d5370fd61279ce038
Opcode Fuzzy Hash: acef2714d5d5c96e4a7a6e59448b39fb1153ab050bf33152c696f31641a95f2c
Instruction Fuzzy Hash: B8117C71E41228BBDB108F959C45FEFBFBCEB45B60F108112F914E7290C2704A018BA1

Function 005E1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005E168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005E16A1
FreeSid.ADVAPI32(?), ref: 005E16B1

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 542378499806413e1377e4216a3e8018cb367aba718e127a03880e3655c2eee8
Instruction ID: deb6f444337962e27b8a94111f3edce5ffc0379cf53b00dcdb113736385e5aa2
Opcode Fuzzy Hash: 542378499806413e1377e4216a3e8018cb367aba718e127a03880e3655c2eee8
Instruction Fuzzy Hash: 7AF04471980308FBDB00CFE08C89EAEBBBDFB08211F008561E500E2180E331AA448A50

Function 005BC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 005BC36C

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 49b992e0b8ef24af04b0e667421069dd6ec849845ec972ec263df10a1f56c81a
Instruction ID: a22534281a1e611183abfe489914d6ddb9a2d3f16b0c832ddb9617850fc41d44
Opcode Fuzzy Hash: 49b992e0b8ef24af04b0e667421069dd6ec849845ec972ec263df10a1f56c81a
Instruction Fuzzy Hash: CC413676900219ABCB209FB9CC89EFB7FB8FB84315F504669F905C7180E670AE818B54

Function 005DD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 005DD28C

Strings

X64, xrefs: 005DD2A8

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 96e5baeb7c9804a4a818393a3abe370eee1836769a6ff5565ae7043a1cacc34e
Instruction ID: 013f13c8d0ebd0405d5e01b39d37b240851d260bc540603cd9c32d26caa0bde4
Opcode Fuzzy Hash: 96e5baeb7c9804a4a818393a3abe370eee1836769a6ff5565ae7043a1cacc34e
Instruction Fuzzy Hash: 41D0C9B480111DEACF94CB90DC88DDDB77CBB04345F104552F546A2100D73495489F20

Function 005ACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 6221c3af6a85e1e8b93eaaf948e4eb4eacb09c30333b577f3f5bd2f5b894f9a2
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 38021A71E002199FDF14CFA9C8906ADBFF5FF89324F258169D819AB281D731AE418B94

Function 0058CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#e, xrefs: 0058CF7F
Variable is not of type 'Object'., xrefs: 005D0C40

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#e
API String ID: 0-1812669178
Opcode ID: 86c9371643c9f1c29abd75975ccd2f3772c615dd20fa2b0f64e42e42155bb098
Instruction ID: 95e262f6d87ce21db26183212fc87016fa72fc8b2ea6fcb89ef0aa6d97e4c0e0
Opcode Fuzzy Hash: 86c9371643c9f1c29abd75975ccd2f3772c615dd20fa2b0f64e42e42155bb098
Instruction Fuzzy Hash: AE3287709002199BDF24EF94D885BEDBFB9BF45308F14845AE806BB392D771AE45CB60

Function 005F68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005F6918
FindClose.KERNEL32(00000000), ref: 005F6961

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 38e6808836587552e98863dcc7c69283f5786fcf258d39f178130cf87c71f693
Instruction ID: d00de2560d95c3d859a66426b993c06ce130d6b8ee7e37b5a885ee3a74dee6a4
Opcode Fuzzy Hash: 38e6808836587552e98863dcc7c69283f5786fcf258d39f178130cf87c71f693
Instruction Fuzzy Hash: 3011D0316042059FD710DF29D488A2ABBE1FF88328F14C699E9698F3A2C774EC05CB90

Function 005F37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00604891,?,?,00000035,?), ref: 005F37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00604891,?,?,00000035,?), ref: 005F37F4

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 688bfc2cf6e4937598d17eccbf426db74720bcffcf87d1a8c10ed43be578f1fc
Instruction ID: 70080190c554e6ce550c6999c35e9dab3491f281241077c989a744ac0b0ab329
Opcode Fuzzy Hash: 688bfc2cf6e4937598d17eccbf426db74720bcffcf87d1a8c10ed43be578f1fc
Instruction Fuzzy Hash: FCF0E5B06052292AE72067A69C4DFEB3FAEFFC5771F000175F609E2281D9A09E44C7B0

Function 005EB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 005EB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 005EB270

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 18caa4f9e9909a8ebfb0ddf2fed55099cc0b3f510da1622aeaefcb128ca1ef27
Instruction ID: f8977d83c0964085915becb0bb14308495f760fd04400c96a3d89db38dd75164
Opcode Fuzzy Hash: 18caa4f9e9909a8ebfb0ddf2fed55099cc0b3f510da1622aeaefcb128ca1ef27
Instruction Fuzzy Hash: ACF06D7580428DABEB058FA1C805BEE7FB0FF04315F04800AF951A5191C37982119F94

Function 005E10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005E11FC), ref: 005E10D4
CloseHandle.KERNEL32(?,?,005E11FC), ref: 005E10E9

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 168e228c335dc46a099274e8ee38e23e721f12d973036d9c754b0084a7059675
Instruction ID: 88b4da2a3e8511341abf0e26e7bc6d365103b7d58f7ea8348fd94acac8c89000
Opcode Fuzzy Hash: 168e228c335dc46a099274e8ee38e23e721f12d973036d9c754b0084a7059675
Instruction Fuzzy Hash: 22E04F32004611AFEB252B11FC09EB77BAAFB04320B24C82EF4A5804B1DB626C90DB14

Function 005B676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,005B6766,?,?,00000008,?,?,005BFEFE,00000000), ref: 005B6998

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: a65b9e1ba35e6a05ff3bd6aff6d8e02255b8e4aa91fb9cc70120293c32d6c24e
Instruction ID: 27d867252388a72020d7a1d91cdce7bb77c2db3fbfccb88a3935918de450663d
Opcode Fuzzy Hash: a65b9e1ba35e6a05ff3bd6aff6d8e02255b8e4aa91fb9cc70120293c32d6c24e
Instruction Fuzzy Hash: 27B14D31510609DFDB15CF28C49ABA57FE0FF45364F298658E899CF2A2C739E991CB40

Function 0059B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 005D851F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 81842538650e180f5d441a6a2c709aeacfa0815bee31013ffccd473745ab6fec
Instruction ID: 2f72077838308da8e5541649f06e65c46021fbe2807b9c0bf14f44d62fbafceb
Opcode Fuzzy Hash: 81842538650e180f5d441a6a2c709aeacfa0815bee31013ffccd473745ab6fec
Instruction Fuzzy Hash: 55126E759002299BEF24CF58D9806FEBBB5FF48710F14859AE809EB251DB309E81DF90

Function 005FEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 005FEABD

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: aada066cbea5a4e4438703fc5fa98ea8bd19390e965f4c5d31f9f02c3b631435
Instruction ID: 4eefc893c6963d8f414f2e0335adf8c65cc2a0532491af5fc749678e325baac3
Opcode Fuzzy Hash: aada066cbea5a4e4438703fc5fa98ea8bd19390e965f4c5d31f9f02c3b631435
Instruction Fuzzy Hash: A7E01A312002059FD710EF5AD809E9ABFE9BF98760F008416FD49D7361DA74A8408BA0

Function 005A09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005A03EE), ref: 005A09DA

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ca18e8a811150e7d80627374ed1773f5bed48ac27516b12ca2c97ef2e4a22842
Instruction ID: bbc8ae2edeed20caf3cc2372155c9f458b761bacf2bc33ff3dd3c15d0f362175
Opcode Fuzzy Hash: ca18e8a811150e7d80627374ed1773f5bed48ac27516b12ca2c97ef2e4a22842
Instruction Fuzzy Hash:

Function 005A781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 005A798B

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 0c55453c488f158ff51b11e102765e7e4236917b14bb505209e022286bf8529c
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: A451677260C60F6FDB3885288C5D7BF2F89BB5F340F18091AD986D7282C619DE05D356

Function 005F2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&e, xrefs: 005F2053

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: 0&e
API String ID: 0-623651441
Opcode ID: cda38ff61e1e2ae6b795e341827ef7d39380d661f0f4ee5884b526b75fcb7d32
Instruction ID: 5e595ab6e8a1e9fb74bd7748a0cd6a4b8e7fbf6eb6c78320edc6cd1cf5d7964d
Opcode Fuzzy Hash: cda38ff61e1e2ae6b795e341827ef7d39380d661f0f4ee5884b526b75fcb7d32
Instruction Fuzzy Hash: 4321BB726606158BDB28CF79C82767E77E9B754310F15862EE4A7C37D0DE39A904C740

Function 005B6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526b7f42ab3d7a6955b3a8352e7aabc12dbe51a14a3c4e07c4069c37042e50ec
Instruction ID: 7849b1129253f5f8fd37160255fb6b949b0ddc5ad913cbb55be1de33345fdf73
Opcode Fuzzy Hash: 526b7f42ab3d7a6955b3a8352e7aabc12dbe51a14a3c4e07c4069c37042e50ec
Instruction Fuzzy Hash: 06320331D29F064DD7339634C832375AA89AFBB3C5F15D727E81AB59A6EB29D4834100

Function 0059CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36cea78516c26ec2a4f8c3e8c0f731822e3945c683e1c1a829e75467b43d9c9
Instruction ID: 21c824bf20f28d041718ee4681ed239dd710126aa987eb3044444233cba4c230
Opcode Fuzzy Hash: e36cea78516c26ec2a4f8c3e8c0f731822e3945c683e1c1a829e75467b43d9c9
Instruction Fuzzy Hash: 3732E132A401578BDF38CA6CC49467D7FA2FB45300F28896BD86ADB791D630DD81DB41

Function 00587920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4969f7150fb496fcdc831d6a6fd097fb443564ecf4db9293322f408e06da3e2e
Instruction ID: 3c76f783885a7d5036fe3251945b6392a36304f2c67a08f8496a3730796308e0
Opcode Fuzzy Hash: 4969f7150fb496fcdc831d6a6fd097fb443564ecf4db9293322f408e06da3e2e
Instruction Fuzzy Hash: 3E228E70A0460A9FDF14DFA4C885BAEBBB6FF48300F244529E816A7291FB35ED55CB50

Function 005891C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb845c4c88a168ec5b032685cec53fcf1724740ea797d608d0bfe86499dd44cc
Instruction ID: f59a5d69b062602973a71b0ebb32f71671363c3aaedc6d13f412da261ae2e95b
Opcode Fuzzy Hash: fb845c4c88a168ec5b032685cec53fcf1724740ea797d608d0bfe86499dd44cc
Instruction Fuzzy Hash: B40293B0A00206EFDF05DF54D886BADBBB5FF44304F148569E816EB291EB31AE11CB91

Function 005B9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea703df8718d8c12bf4063c066c6baf510d2e313c98e949db8464a5fb2ec8f70
Instruction ID: 2f8781c8cfd64d05bc90bd5c63405af97253680a4f264648f80855d7189f2c9a
Opcode Fuzzy Hash: ea703df8718d8c12bf4063c066c6baf510d2e313c98e949db8464a5fb2ec8f70
Instruction Fuzzy Hash: D3B11420D2AF914DC72396398831336BA5DBFBB6D5F51E71BFC1674E22EB2686834140

Function 005A1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 6b686fe2f103213615a455f0e4b037e24d77b0d2d45832b1545334db2e25212f
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 619164722084A34EDB29463E857403EFFE57B933B1B1A0B9ED4F2CA1C5FE248954D624

Function 005A1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 7feed559978484fe4d8b42df31bf86c44b97cac0160a71d12d421a1a139a4d9a
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: EC9144722094E34DDB69423E857903EFFE17B933A1B1A079DE4F2CA1C5EE248554E624

Function 005A19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 8b2e5a2834b825b94b3fc2c718ae6c9415b49e2cdfd3a42ecb01e5b8aed9f44b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: CC9144722098A34EDB2D467A957403EFFE16B933A2B1E079DD4F2CA1C1FD24C954D624

Function 005A7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ed5138a71769229229a5162e8c87b9e4ebd6132d2194d08fdca95436919993
Instruction ID: 694187f1a07caf95167f8d8183f6b1fa2280658e79457d3a443eadfde20c7b2a
Opcode Fuzzy Hash: a2ed5138a71769229229a5162e8c87b9e4ebd6132d2194d08fdca95436919993
Instruction Fuzzy Hash: CE613BB160870E66DE3499289DA9BBF2F94FF8F710F140D19E943DB281E6119E42C375

Function 005A7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ea2f7e1a228966a85b8d8aab0177aa6020b74704ae1a43335bffa1dfbeadd9
Instruction ID: 8322a2f277507fd89e13836e66e0022e353af713980f3b39a975fa0c682c0dd5
Opcode Fuzzy Hash: 88ea2f7e1a228966a85b8d8aab0177aa6020b74704ae1a43335bffa1dfbeadd9
Instruction Fuzzy Hash: DB616A7160870E67DE385A384C69BBF2F98FF9F704F140D59E943DB281EA12AD428355

Function 005A1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: d72f6d6a7b523a2a34413de6d4d80464bd67b5f8cb73154d6f58fa66014a5596
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E58175726094A30DDB6D423A853443EFFE1BB933A1B1A079DD4F2CB1C1EE24C954E624

Function 00602ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00602B30
DeleteObject.GDI32(00000000), ref: 00602B43
DestroyWindow.USER32 ref: 00602B52
GetDesktopWindow.USER32 ref: 00602B6D
GetWindowRect.USER32(00000000), ref: 00602B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00602CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00602CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602CF8
GetClientRect.USER32(00000000,?), ref: 00602D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00602D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602D80
GlobalLock.KERNEL32(00000000), ref: 00602D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602D98
GlobalUnlock.KERNEL32(00000000), ref: 00602DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602DA8
GlobalFree.KERNEL32(00000000), ref: 00602DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0061FC38,00000000), ref: 00602DDB
GlobalFree.KERNEL32(00000000), ref: 00602DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00602E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00602E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0060303F

Strings

AutoIt v3, xrefs: 00602CF2
static, xrefs: 00602D3A, 00602E91
, xrefs: 00602FC5
DISPLAY, xrefs: 00602EA2

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 336bbb5b53e3087645a009400c29f8ebf3e8a1a3afc9960572f21c9fc3562be0
Instruction ID: f381747acf72381b336baf800c0ead7dd7a13281d4f2df21b3a6bf42b3d0d0ae
Opcode Fuzzy Hash: 336bbb5b53e3087645a009400c29f8ebf3e8a1a3afc9960572f21c9fc3562be0
Instruction Fuzzy Hash: 2B029B71540206AFDB14DF64CC9DEAE7BBAFF49721F048159F915AB2A0DB70AD01CB60

Function 006170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0061712F
GetSysColorBrush.USER32(0000000F), ref: 00617160
GetSysColor.USER32(0000000F), ref: 0061716C
SetBkColor.GDI32(?,000000FF), ref: 00617186
SelectObject.GDI32(?,?), ref: 00617195
InflateRect.USER32(?,000000FF,000000FF), ref: 006171C0
GetSysColor.USER32(00000010), ref: 006171C8
CreateSolidBrush.GDI32(00000000), ref: 006171CF
FrameRect.USER32(?,?,00000000), ref: 006171DE
DeleteObject.GDI32(00000000), ref: 006171E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00617230
FillRect.USER32(?,?,?), ref: 00617262
GetWindowLongW.USER32(?,000000F0), ref: 00617284

Part of subcall function 006173E8: GetSysColor.USER32(00000012), ref: 00617421
Part of subcall function 006173E8: SetTextColor.GDI32(?,?), ref: 00617425
Part of subcall function 006173E8: GetSysColorBrush.USER32(0000000F), ref: 0061743B
Part of subcall function 006173E8: GetSysColor.USER32(0000000F), ref: 00617446
Part of subcall function 006173E8: GetSysColor.USER32(00000011), ref: 00617463
Part of subcall function 006173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00617471
Part of subcall function 006173E8: SelectObject.GDI32(?,00000000), ref: 00617482
Part of subcall function 006173E8: SetBkColor.GDI32(?,00000000), ref: 0061748B
Part of subcall function 006173E8: SelectObject.GDI32(?,?), ref: 00617498
Part of subcall function 006173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 006174B7
Part of subcall function 006173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006174CE
Part of subcall function 006173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 006174DB

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: a30c3a2be58ddad622df49ee9dc9c0b5ea080cbb08bfebaaf0b71848e439143a
Instruction ID: 1ea5c6a4ebaec732dfa9d59c693ec674b5a64c6e4d56855c955d9dd00fcaae5d
Opcode Fuzzy Hash: a30c3a2be58ddad622df49ee9dc9c0b5ea080cbb08bfebaaf0b71848e439143a
Instruction Fuzzy Hash: 35A1AD72048301BFDB009F64DC48A9E7BBBFB89331F185A1AF962961A0D771E9858B51

Function 00598D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00598E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 005D6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 005D6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 005D6F43

Part of subcall function 00598F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00598BE8,?,00000000,?,?,?,?,00598BBA,00000000,?), ref: 00598FC5

SendMessageW.USER32(?,00001053), ref: 005D6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 005D6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 005D6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 005D6FB7

Strings

0, xrefs: 005D6DCF

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 15899c085de09c5e050f54c540286ba9ad6291c93cd00b6ebe5a11dbf735cd0b
Instruction ID: 724279a34e3b9963fad3c510ae8a135427036e5ac549e6d6fc0a1a494a78bc90
Opcode Fuzzy Hash: 15899c085de09c5e050f54c540286ba9ad6291c93cd00b6ebe5a11dbf735cd0b
Instruction Fuzzy Hash: E9129E30600211DFDB25DF18D958BBABFAAFB46311F18846BF4958B261CB31EC52DB91

Function 00602711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0060273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0060286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 006028A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 006028B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00602900
GetClientRect.USER32(00000000,?), ref: 0060290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00602955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00602964
GetStockObject.GDI32(00000011), ref: 00602974
SelectObject.GDI32(00000000,00000000), ref: 00602978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00602988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00602991
DeleteDC.GDI32(00000000), ref: 0060299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006029C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 006029DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00602A1D
SendMessageW.USER32(00000000,00000401,00000000,_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{), ref: 00602A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00602A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00602A77
GetStockObject.GDI32(00000011), ref: 00602A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00602A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00602A97

Strings

AutoIt v3, xrefs: 006028F8
msctls_progress32, xrefs: 00602A13
static, xrefs: 0060294F, 00602A71
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00602A1F
DISPLAY, xrefs: 0060295A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{$msctls_progress32$static
API String ID: 2910397461-2119349891
Opcode ID: b728457ef9cae1f251076b8a479330e6c61f6952304bf4ca8cf911fa88260f4d
Instruction ID: 27a286a4a9d208ba85d776b2f4df0fe4552b3443fbf65e1dac61e4e5be42f440
Opcode Fuzzy Hash: b728457ef9cae1f251076b8a479330e6c61f6952304bf4ca8cf911fa88260f4d
Instruction Fuzzy Hash: B1B14B71A40215AFEB14DF68CC5AFAE7BAAFB49721F048115F914EB290D770AD40CBA0

Function 005F4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005F4AED
GetDriveTypeW.KERNEL32(?,0061CB68,?,\\.\,0061CC08), ref: 005F4BCA
SetErrorMode.KERNEL32(00000000,0061CB68,?,\\.\,0061CC08), ref: 005F4D36

Strings

Removable, xrefs: 005F4C10, 005F4C15
iSCSI, xrefs: 005F4CC2
FileBackedVirtual, xrefs: 005F4CEC
SATA, xrefs: 005F4CD0
CDROM, xrefs: 005F4BFB
1394, xrefs: 005F4C9F
MMC, xrefs: 005F4CDE
RAID, xrefs: 005F4CBB
\\.\, xrefs: 005F4B3F
PhysicalDrive, xrefs: 005F4B76
Fibre, xrefs: 005F4CAD
SCSI, xrefs: 005F4C8A
Network, xrefs: 005F4C02
USB, xrefs: 005F4CB4
SSA, xrefs: 005F4CA6
Unknown, xrefs: 005F4BED, 005F4C83
Virtual, xrefs: 005F4CE5
Fixed, xrefs: 005F4C09
ATAPI, xrefs: 005F4C91
ATA, xrefs: 005F4C98
SSD, xrefs: 005F4C4A
RAMDisk, xrefs: 005F4BF4
SAS, xrefs: 005F4CC9

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5f902f955e1a22cf06eade9d060ea4300f21be388e8a05bd645fdcc5aea3dbc1
Instruction ID: 12fcf78ef2015195c4e039090e4fda64252ce1c34780eb085abfbf0b77c01b8a
Opcode Fuzzy Hash: 5f902f955e1a22cf06eade9d060ea4300f21be388e8a05bd645fdcc5aea3dbc1
Instruction Fuzzy Hash: C561D33064120EDBCB04EF24C9869BE7FB2BF85710B249815F906AB652DB39DD41DF62

Function 006173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00617421
SetTextColor.GDI32(?,?), ref: 00617425
GetSysColorBrush.USER32(0000000F), ref: 0061743B
GetSysColor.USER32(0000000F), ref: 00617446
CreateSolidBrush.GDI32(?), ref: 0061744B
GetSysColor.USER32(00000011), ref: 00617463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00617471
SelectObject.GDI32(?,00000000), ref: 00617482
SetBkColor.GDI32(?,00000000), ref: 0061748B
SelectObject.GDI32(?,?), ref: 00617498
InflateRect.USER32(?,000000FF,000000FF), ref: 006174B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006174CE
GetWindowLongW.USER32(00000000,000000F0), ref: 006174DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0061752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00617554
InflateRect.USER32(?,000000FD,000000FD), ref: 00617572
DrawFocusRect.USER32(?,?), ref: 0061757D
GetSysColor.USER32(00000011), ref: 0061758E
SetTextColor.GDI32(?,00000000), ref: 00617596
DrawTextW.USER32(?,006170F5,000000FF,?,00000000), ref: 006175A8
SelectObject.GDI32(?,?), ref: 006175BF
DeleteObject.GDI32(?), ref: 006175CA
SelectObject.GDI32(?,?), ref: 006175D0
DeleteObject.GDI32(?), ref: 006175D5
SetTextColor.GDI32(?,?), ref: 006175DB
SetBkColor.GDI32(?,?), ref: 006175E5

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 95891dd90bf0f3651918a9fd12b8ee8ed5cb5ed13b8d4adafd15b235ab595d09
Instruction ID: bbdb0c92ee9e2314017b9b821ccf5c3491b2a46dc4d6f5fc5531b45da67dabdb
Opcode Fuzzy Hash: 95891dd90bf0f3651918a9fd12b8ee8ed5cb5ed13b8d4adafd15b235ab595d09
Instruction Fuzzy Hash: CA616D72944218BFDF019FA4DC49EEE7FBAEB09330F199116F915AB2A1D7709940CB90

Function 00610FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00611128
GetDesktopWindow.USER32 ref: 0061113D
GetWindowRect.USER32(00000000), ref: 00611144
GetWindowLongW.USER32(?,000000F0), ref: 00611199
DestroyWindow.USER32(?), ref: 006111B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006111ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0061120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0061121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00611232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00611245
IsWindowVisible.USER32(00000000), ref: 006112A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 006112BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 006112D0
GetWindowRect.USER32(00000000,?), ref: 006112E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0061130E
GetMonitorInfoW.USER32(00000000,?), ref: 00611328
CopyRect.USER32(?,?), ref: 0061133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 006113AA

Strings

tooltips_class32, xrefs: 006111E6
(, xrefs: 0061131B
0, xrefs: 006110D3

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d7b5e242fbf5468125584b06f76193fc5e9e0a5b79c4ec70e3d804dbd0131d3e
Instruction ID: 8b2d4c228e267683421853202cb82d8a1cb97dcd7042745dce7ae2c2256ddcd1
Opcode Fuzzy Hash: d7b5e242fbf5468125584b06f76193fc5e9e0a5b79c4ec70e3d804dbd0131d3e
Instruction Fuzzy Hash: 86B1A171608341AFD700DF64C889BAEBBE5FF89350F04891DFA999B261D731D884CB91

Function 00610241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006102E5
_wcslen.LIBCMT ref: 0061031F
_wcslen.LIBCMT ref: 00610389
_wcslen.LIBCMT ref: 006103F1
_wcslen.LIBCMT ref: 00610475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006104C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00610504

Part of subcall function 0059F9F2: _wcslen.LIBCMT ref: 0059F9FD

Part of subcall function 005E223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005E2258
Part of subcall function 005E223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005E228A

Strings

VIEWCHANGE, xrefs: 00610675
SELECTALL, xrefs: 00610515
SELECT, xrefs: 00610548
GETSUBITEMCOUNT, xrefs: 00610384, 0061039F
ISSELECTED, xrefs: 006104DD
GETSELECTED, xrefs: 006105E1
GETSELECTEDCOUNT, xrefs: 00610470, 0061048B
DESELECT, xrefs: 0061059C
GETTEXT, xrefs: 006103EC, 00610407
SELECTINVERT, xrefs: 0061057E
GETITEMCOUNT, xrefs: 00610316, 00610337
SELECTCLEAR, xrefs: 0061052D
FINDITEM, xrefs: 00610627

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: e89d43011f051d94e76141365d0a0480ea6833583640943a1ab9c639c0b3ba15
Instruction ID: 24e0cff061e312a517099bc9dee2a77db8056b0aa35d518036a3d0caec42d805
Opcode Fuzzy Hash: e89d43011f051d94e76141365d0a0480ea6833583640943a1ab9c639c0b3ba15
Instruction Fuzzy Hash: 42E1A2312082429FDB14EF24C5918AABBE7BFC8714F18495DF896AB391D770ED85CB81

Function 00598891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00598968
GetSystemMetrics.USER32(00000007), ref: 00598970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0059899B
GetSystemMetrics.USER32(00000008), ref: 005989A3
GetSystemMetrics.USER32(00000004), ref: 005989C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005989E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005989F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00598A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00598A3C
GetClientRect.USER32(00000000,000000FF), ref: 00598A5A
GetStockObject.GDI32(00000011), ref: 00598A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00598A81

Part of subcall function 0059912D: GetCursorPos.USER32(?), ref: 00599141
Part of subcall function 0059912D: ScreenToClient.USER32(00000000,?), ref: 0059915E
Part of subcall function 0059912D: GetAsyncKeyState.USER32(00000001), ref: 00599183
Part of subcall function 0059912D: GetAsyncKeyState.USER32(00000002), ref: 0059919D

SetTimer.USER32(00000000,00000000,00000028,005990FC), ref: 00598AA8

Strings

AutoIt v3 GUI, xrefs: 00598A20

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: ed25374a39fa5697d9768fcf74448805ac3b2dfff4ac121b9d9d408e481e23e9
Instruction ID: 17f59fb1ef7be6cb46d42ce3d69d82b4d5a373580b9c93f075e099bd2d762936
Opcode Fuzzy Hash: ed25374a39fa5697d9768fcf74448805ac3b2dfff4ac121b9d9d408e481e23e9
Instruction Fuzzy Hash: C3B16E71A4020A9FDF14DF68CC45BEE3BB6FB49325F14412AFA15AB290DB74E841CB51

Function 005E0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005E1114
Part of subcall function 005E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E1120
Part of subcall function 005E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E112F
Part of subcall function 005E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E1136
Part of subcall function 005E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005E114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005E0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005E0E29
GetLengthSid.ADVAPI32(?), ref: 005E0E40
GetAce.ADVAPI32(?,00000000,?), ref: 005E0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005E0E96
GetLengthSid.ADVAPI32(?), ref: 005E0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 005E0EB5
HeapAlloc.KERNEL32(00000000), ref: 005E0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 005E0EDD
CopySid.ADVAPI32(00000000), ref: 005E0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005E0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005E0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 005E0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E0F6E
HeapFree.KERNEL32(00000000), ref: 005E0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E0F7E
HeapFree.KERNEL32(00000000), ref: 005E0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E0F8E
HeapFree.KERNEL32(00000000), ref: 005E0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 005E0FA1
HeapFree.KERNEL32(00000000), ref: 005E0FA8

Part of subcall function 005E1193: GetProcessHeap.KERNEL32(00000008,005E0BB1,?,00000000,?,005E0BB1,?), ref: 005E11A1
Part of subcall function 005E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,005E0BB1,?), ref: 005E11A8
Part of subcall function 005E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,005E0BB1,?), ref: 005E11B7

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7f765c48342243fb6a6938db30a0a6b321cd1f8ec22da0ba4586f3aec47c3a34
Instruction ID: 3423612f6a34c26a4e008be23dc2c3fc0281981510971cf38a1458eb52cf53fc
Opcode Fuzzy Hash: 7f765c48342243fb6a6938db30a0a6b321cd1f8ec22da0ba4586f3aec47c3a34
Instruction Fuzzy Hash: 5571CE7290024AABDF24CFA5DC49FEEBBB9BF08311F089115F9A8E6190D7719D54CB60

Function 0060C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0060C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0061CC08,00000000,?,00000000,?,?), ref: 0060C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0060C5A4
_wcslen.LIBCMT ref: 0060C5F4
_wcslen.LIBCMT ref: 0060C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0060C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0060C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0060C84D
RegCloseKey.ADVAPI32(?), ref: 0060C881
RegCloseKey.ADVAPI32(00000000), ref: 0060C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0060C960

Strings

REG_DWORD, xrefs: 0060C804
REG_QWORD, xrefs: 0060C8C3
REG_BINARY, xrefs: 0060C913
REG_EXPAND_SZ, xrefs: 0060C5CD
REG_SZ, xrefs: 0060C644
REG_MULTI_SZ, xrefs: 0060C6F5

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 440f8f2687bab5be4d83df86f8daf09e3547d84d1a04449a814c86f56e897ab5
Instruction ID: 04f64a6ae4eeb10b5e7e1e6d5e079012128f77cbf04e90d1c3db245f5b518083
Opcode Fuzzy Hash: 440f8f2687bab5be4d83df86f8daf09e3547d84d1a04449a814c86f56e897ab5
Instruction Fuzzy Hash: C8128E352042019FD714EF14C885A6ABBE6FF88724F14895DF85AAB3A2DB31FC41CB95

Function 0061091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006109C6
_wcslen.LIBCMT ref: 00610A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00610A54
_wcslen.LIBCMT ref: 00610A8A
_wcslen.LIBCMT ref: 00610B06
_wcslen.LIBCMT ref: 00610B81

Part of subcall function 0059F9F2: _wcslen.LIBCMT ref: 0059F9FD

Part of subcall function 005E2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005E2BFA

Strings

GETTOTALCOUNT, xrefs: 006109F2, 00610A17
EXISTS, xrefs: 00610B7C, 00610B97
UNCHECK, xrefs: 00610D3E
COLLAPSE, xrefs: 00610B01, 00610B1C
GETSELECTED, xrefs: 00610C4E
GETTEXT, xrefs: 00610C97
ISCHECKED, xrefs: 00610CE1
SELECT, xrefs: 00610D11
GETITEMCOUNT, xrefs: 00610C1E
EXPAND, xrefs: 00610BF8
CHECK, xrefs: 00610A85, 00610AA0

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: f314f4f886dd0f1b9840dbcd365615ebafd3e11f42735eb73347415663a726e9
Instruction ID: 12727c13592bfa47bb62d1c690b276180db379e2d978f1c58d1c868f22e5bd9a
Opcode Fuzzy Hash: f314f4f886dd0f1b9840dbcd365615ebafd3e11f42735eb73347415663a726e9
Instruction Fuzzy Hash: D7E1B2352083429FDB14EF24C4509AABBE2BFD8314F18895CF895AB362D771ED85CB91

Function 0060C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060B6AE,?,?), ref: 0060C9B5
_wcslen.LIBCMT ref: 0060C9F1
_wcslen.LIBCMT ref: 0060CA68
_wcslen.LIBCMT ref: 0060CA9E
_wcslen.LIBCMT ref: 0060CAF9
_wcslen.LIBCMT ref: 0060CB2F
_wcslen.LIBCMT ref: 0060CB7F

Strings

HKCC, xrefs: 0060CBAC
HKEY_CURRENT_USER, xrefs: 0060CBBD
HKEY_LOCAL_MACHINE, xrefs: 0060CA62, 0060CA67
HKU, xrefs: 0060CBF0
HKEY_CURRENT_CONFIG, xrefs: 0060CB79, 0060CB7E
HKCU, xrefs: 0060CBCE
HKEY_CLASSES_ROOT, xrefs: 0060CAF3, 0060CAF8
HKCR, xrefs: 0060CB29, 0060CB2E
HKLM, xrefs: 0060CA98, 0060CA9D
HKEY_USERS, xrefs: 0060CBDF

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 442389cc6f8b69e296d57421429866377fc19ebce409a31ddfd6ecaa5c3ea819
Instruction ID: 94a2e4b67b7a941f44ea96368e79b8cf0b5e1769c172f73c3da3418ebc3483df
Opcode Fuzzy Hash: 442389cc6f8b69e296d57421429866377fc19ebce409a31ddfd6ecaa5c3ea819
Instruction Fuzzy Hash: 8D71DF3268016A8BCB28DF6CC9515FF3797ABA1770B250628FC56A73C4E731CD4587A0

Function 0061833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0061835A
_wcslen.LIBCMT ref: 0061836E
_wcslen.LIBCMT ref: 00618391
_wcslen.LIBCMT ref: 006183B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006183F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00615BF2), ref: 0061844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00618487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006184CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00618501
FreeLibrary.KERNEL32(?), ref: 0061850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0061851D
DestroyIcon.USER32(?,?,?,?,?,00615BF2), ref: 0061852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00618549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00618555

Strings

.exe, xrefs: 00618388
.dll, xrefs: 006183AB
.icl, xrefs: 00618368

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: abeac818287eb15d86be1af1d28f3dfe023766824dd56a18378eaaa756191081
Instruction ID: 56d8671b12fba32884fa710e7ec0e97809b9116c7ce0785a28adf768f237d7e1
Opcode Fuzzy Hash: abeac818287eb15d86be1af1d28f3dfe023766824dd56a18378eaaa756191081
Instruction Fuzzy Hash: 3461BE71540206BEEB149F64CC45BFE7BAABB44721F14460AF815D71D1DFB4A990CBA0

Function 00587778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Bad directive syntax error, xrefs: 005C519A
#pragma compile, xrefs: 005877D3
", xrefs: 005C5153
#comments-start, xrefs: 0058785F, 005878B1
#include, xrefs: 00587847
#include-once, xrefs: 0058782F
#OnAutoItStartRegister, xrefs: 00587817
#requireadmin, xrefs: 005877FF
', xrefs: 005C5169
#ce, xrefs: 005878ED
Cannot parse #include, xrefs: 005C5279
Unterminated group of comments, xrefs: 005C528C
#comments-end, xrefs: 005878D9
#notrayicon, xrefs: 005877E7
#cs, xrefs: 00587873, 005878C5

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f01368050339b8f45514c1c18ec76a5cdb9e5e21aea42117cd29ae7a13f3fc46
Instruction ID: 745c5d408bbec57dc7374b1475adc7f02e259b2bbe71664e111162c4246a933e
Opcode Fuzzy Hash: f01368050339b8f45514c1c18ec76a5cdb9e5e21aea42117cd29ae7a13f3fc46
Instruction Fuzzy Hash: 5D81B37164460AABDB10BFA0CC4AFBE7FA9FF99300F184424FD05AA196EB70D951C791

Function 005F3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 005F3EF8
_wcslen.LIBCMT ref: 005F3F03
_wcslen.LIBCMT ref: 005F3F5A
_wcslen.LIBCMT ref: 005F3F98
GetDriveTypeW.KERNEL32(?), ref: 005F3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005F401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005F4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005F4087

Strings

close cd wait, xrefs: 005F4072
open , xrefs: 005F3FE5
set cd door , xrefs: 005F4028
wait, xrefs: 005F4044
type cdaudio alias cd wait, xrefs: 005F4001
open, xrefs: 005F3F54, 005F3F59
closed, xrefs: 005F3F08, 005F3F2D, 005F3F46, 005F3F7E, 005F3F97
close, xrefs: 005F3EFE, 005F3F18

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 4b3f379d6bf97fdaad9c08bc9aedfc766261aa7e43e8d47c25668d465df3b075
Instruction ID: eb2b4a2faededae98c6171656f0c98ac82f13926ca70a3d601a0a93c21ecfbba
Opcode Fuzzy Hash: 4b3f379d6bf97fdaad9c08bc9aedfc766261aa7e43e8d47c25668d465df3b075
Instruction Fuzzy Hash: 0D71BD316042069FC310EF24C88587BBBE5FF95758F10492DFA95A7261EB38DE45CB52

Function 005E5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 005E5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005E5A40
SetWindowTextW.USER32(?,?), ref: 005E5A57
GetDlgItem.USER32(?,000003EA), ref: 005E5A6C
SetWindowTextW.USER32(00000000,?), ref: 005E5A72
GetDlgItem.USER32(?,000003E9), ref: 005E5A82
SetWindowTextW.USER32(00000000,?), ref: 005E5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 005E5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 005E5AC3
GetWindowRect.USER32(?,?), ref: 005E5ACC
_wcslen.LIBCMT ref: 005E5B33
SetWindowTextW.USER32(?,?), ref: 005E5B6F
GetDesktopWindow.USER32 ref: 005E5B75
GetWindowRect.USER32(00000000), ref: 005E5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 005E5BD3
GetClientRect.USER32(?,?), ref: 005E5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 005E5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 005E5C2F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 7d0b936ce7737aa9cbf755514618c0ea8b00eb04e1e6023cbacc7005a9e85a81
Instruction ID: 975415ed85a7f0f4a585c9a4306ef835ec7a17924046e69e384840bab7e8e93e
Opcode Fuzzy Hash: 7d0b936ce7737aa9cbf755514618c0ea8b00eb04e1e6023cbacc7005a9e85a81
Instruction Fuzzy Hash: 07719031900B45AFDB24DFA9CE85BAEBBF5FF48718F144919E182A35A0E770E944CB50

Function 005FFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 005FFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 005FFE32
LoadCursorW.USER32(00000000,00007F00), ref: 005FFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 005FFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 005FFE53
LoadCursorW.USER32(00000000,00007F01), ref: 005FFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 005FFE69
LoadCursorW.USER32(00000000,00007F88), ref: 005FFE74
LoadCursorW.USER32(00000000,00007F80), ref: 005FFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 005FFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 005FFE95
LoadCursorW.USER32(00000000,00007F85), ref: 005FFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 005FFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 005FFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 005FFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 005FFECC
GetCursorInfo.USER32(?), ref: 005FFEDC
GetLastError.KERNEL32 ref: 005FFF1E

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d25ccdfca27d29b5b0638a0fb507b719dcd66ab3b13c0fb1c9eb20891d652fe2
Instruction ID: 2d9bc228edbb8af59d5bd66b6877ba85b34b8ecfdb4749a632b0af0aa8cd087e
Opcode Fuzzy Hash: d25ccdfca27d29b5b0638a0fb507b719dcd66ab3b13c0fb1c9eb20891d652fe2
Instruction Fuzzy Hash: 6A4165B0D443196ADB10DFBA8C8986EBFE8FF04354B54852AF11DE7681DB789901CF91

Function 005E30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005E318D
_wcslen.LIBCMT ref: 005E31F8

Strings

CLASSNN, xrefs: 005E31F3, 005E3204
NAME, xrefs: 005E3335, 005E3346
[d, xrefs: 005E339A
CLASS, xrefs: 005E3188, 005E31A5
INSTANCE, xrefs: 005E3453
TEXT, xrefs: 005E347C
REGEXPCLASS, xrefs: 005E3255, 005E3266

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[d
API String ID: 176396367-2866934335
Opcode ID: 3d1233da7bd338e43b1850be884456f3044aa364e56886a06582d9ac9f410dca
Instruction ID: f61d88502dec8cf6d2d34600b81b564f7c66a0a6c8b760da79b6e55283b19609
Opcode Fuzzy Hash: 3d1233da7bd338e43b1850be884456f3044aa364e56886a06582d9ac9f410dca
Instruction Fuzzy Hash: 39E10432A00556ABCF1C9FA9C459AEEBFB1BF44710F54852AE496F7240DB30AE45CB90

Function 005A00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005A00C6

Part of subcall function 005A00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0065070C,00000FA0,A158281C,?,?,?,?,005C23B3,000000FF), ref: 005A011C
Part of subcall function 005A00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005C23B3,000000FF), ref: 005A0127
Part of subcall function 005A00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005C23B3,000000FF), ref: 005A0138
Part of subcall function 005A00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 005A014E
Part of subcall function 005A00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 005A015C
Part of subcall function 005A00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 005A016A
Part of subcall function 005A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005A0195
Part of subcall function 005A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005A01A0

___scrt_fastfail.LIBCMT ref: 005A00E7

Part of subcall function 005A00A3: __onexit.LIBCMT ref: 005A00A9

Strings

SleepConditionVariableCS, xrefs: 005A0154
kernel32.dll, xrefs: 005A0133
WakeAllConditionVariable, xrefs: 005A0162
InitializeConditionVariable, xrefs: 005A0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 005A0122

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 3544287862e2616f777b9915917791325f938356e89fc16260cae0db49d73841
Instruction ID: 87dc775415d7f963ee5ab9531e2baf363aeeefc8f8b8abfe7cf4b469b90c8f8a
Opcode Fuzzy Hash: 3544287862e2616f777b9915917791325f938356e89fc16260cae0db49d73841
Instruction Fuzzy Hash: C521C932A957116BE7105B64BC0ABED3BA6FF46F61F05552AF801D62D1DB7498008A90

Function 005F44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0061CC08), ref: 005F4527
_wcslen.LIBCMT ref: 005F453B
_wcslen.LIBCMT ref: 005F4599
_wcslen.LIBCMT ref: 005F45F4
_wcslen.LIBCMT ref: 005F463F
_wcslen.LIBCMT ref: 005F46A7

Part of subcall function 0059F9F2: _wcslen.LIBCMT ref: 0059F9FD

GetDriveTypeW.KERNEL32(?,00646BF0,00000061), ref: 005F4743

Strings

removable, xrefs: 005F45EA, 005F45EF
all, xrefs: 005F4531, 005F4536
ramdisk, xrefs: 005F46F1
fixed, xrefs: 005F4635, 005F463A
unknown, xrefs: 005F4708
network, xrefs: 005F469D, 005F46A2
cdrom, xrefs: 005F458F, 005F4594

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ce705a96268b02222835010f72081fe7ae637a2e3c9a82c3d761b389d7aa987b
Instruction ID: 53cdba845f81a5bb86d6d3f4208f855710331347071ecf47649ba48730516c8f
Opcode Fuzzy Hash: ce705a96268b02222835010f72081fe7ae637a2e3c9a82c3d761b389d7aa987b
Instruction Fuzzy Hash: 1FB1EC316083069BC710EF28C890A7BBBE5BFE6720F10491DF696D7291E738D845CB92

Function 0061911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

DragQueryPoint.SHELL32(?,?), ref: 00619147

Part of subcall function 00617674: ClientToScreen.USER32(?,?), ref: 0061769A
Part of subcall function 00617674: GetWindowRect.USER32(?,?), ref: 00617710
Part of subcall function 00617674: PtInRect.USER32(?,?,00618B89), ref: 00617720

SendMessageW.USER32(?,000000B0,?,?), ref: 006191B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006191BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006191DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00619225
SendMessageW.USER32(?,000000B0,?,?), ref: 0061923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00619255
SendMessageW.USER32(?,000000B1,?,?), ref: 00619277
DragFinish.SHELL32(?), ref: 0061927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00619371

Strings

@GUI_DRAGID, xrefs: 006192E9
@GUI_DRAGFILE, xrefs: 00619320
p#e, xrefs: 006192BB
@GUI_DROPID, xrefs: 0061929E

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#e
API String ID: 221274066-1301395850
Opcode ID: e07c71e3af4fc548bf2bd607089077b63f2ab72d8729f535dd14cb8f47cc8f12
Instruction ID: eb762a317b7d6a6ab3d0c30dd6c06116a733e7f5931675ed3adbc6174beaf7e6
Opcode Fuzzy Hash: e07c71e3af4fc548bf2bd607089077b63f2ab72d8729f535dd14cb8f47cc8f12
Instruction Fuzzy Hash: 22613A71108301AFD701EF54D899DAFBBEAFBC5750F04492EF595921A0DB309A49CB62

Function 0058326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00651990), ref: 005C2F8D
GetMenuItemCount.USER32(00651990), ref: 005C303D
GetCursorPos.USER32(?), ref: 005C3081
SetForegroundWindow.USER32(00000000), ref: 005C308A
TrackPopupMenuEx.USER32(00651990,00000000,?,00000000,00000000,00000000), ref: 005C309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005C30A9

Strings

0, xrefs: 0058327D

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 734c45ee46b4a33ff763f71f8d686a83bed3936823720945973872c90fca73ca
Instruction ID: 900a1861b44a8d9b57814c0457c394bddeaa5a123a90094acea51a27c873c521
Opcode Fuzzy Hash: 734c45ee46b4a33ff763f71f8d686a83bed3936823720945973872c90fca73ca
Instruction Fuzzy Hash: B771197164420ABEFB259F69CC49FAABF65FF01724F24421AF9157A1E0C7B1AD10C790

Function 00616CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00616DEB

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00616E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00616E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00616E94
DestroyWindow.USER32(?), ref: 00616EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00580000,00000000), ref: 00616EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00616EFD
GetDesktopWindow.USER32 ref: 00616F16
GetWindowRect.USER32(00000000), ref: 00616F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00616F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00616F4D

Part of subcall function 00599944: GetWindowLongW.USER32(?,000000EB), ref: 00599952

Strings

tooltips_class32, xrefs: 00616E58, 00616EDD
0, xrefs: 00616D98

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: e34c11ed6fbafb5f219cb1bd37954f187e8350455f64531893f120be5a481bb7
Instruction ID: 0188eac3c12a7bbcf0a233e65a0f1ef042826dfdbf350a26792ad1cbcbded7ba
Opcode Fuzzy Hash: e34c11ed6fbafb5f219cb1bd37954f187e8350455f64531893f120be5a481bb7
Instruction Fuzzy Hash: 81716778244340AFDB21CF18DC48BEABBFAFB89314F08451EF99997261C770A946CB11

Function 005FC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005FC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005FC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005FC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 005FC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 005FC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 005FC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005FC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005FC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005FC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005FC5F0
InternetCloseHandle.WININET(00000000), ref: 005FC5FB

Strings

, xrefs: 005FC575

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 9ef2ddeffddbfdf861fcf6fe21f7e40e604b5faa25325cecd78666196ba4d8a7
Instruction ID: 6a36f685710f0d5df24ba2fd0d49b5b211d0273f703c4f63aa26717583a9b70c
Opcode Fuzzy Hash: 9ef2ddeffddbfdf861fcf6fe21f7e40e604b5faa25325cecd78666196ba4d8a7
Instruction Fuzzy Hash: 92514DB154020DBFDB218F64CA48ABB7FBDFF48754F04842AFA4596250DB78E944DB60

Function 0061856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00618592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006185A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006185AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006185BA
GlobalLock.KERNEL32(00000000), ref: 006185C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006185D7
GlobalUnlock.KERNEL32(00000000), ref: 006185E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006185E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006185F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0061FC38,?), ref: 00618611
GlobalFree.KERNEL32(00000000), ref: 00618621
GetObjectW.GDI32(?,00000018,?), ref: 00618641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00618671
DeleteObject.GDI32(?), ref: 00618699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006186AF

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 83fd49908f7039d35fb64eb28e8e3fbb6c00d8c5032ae86e7c89fea07bf725e0
Instruction ID: f00efe1d4c7923858e47698833b94bd2f8759ad7d48bd8a0c4e0a561b94d8311
Opcode Fuzzy Hash: 83fd49908f7039d35fb64eb28e8e3fbb6c00d8c5032ae86e7c89fea07bf725e0
Instruction Fuzzy Hash: DE410975640204AFDB119FA5DC48EEE7BBAEF89721F188059F905E7260DB309A41DB60

Function 005F14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 005F1502
VariantCopy.OLEAUT32(?,?), ref: 005F150B
VariantClear.OLEAUT32(?), ref: 005F1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005F15FB
VarR8FromDec.OLEAUT32(?,?), ref: 005F1657
VariantInit.OLEAUT32(?), ref: 005F1708
SysFreeString.OLEAUT32(?), ref: 005F178C
VariantClear.OLEAUT32(?), ref: 005F17D8
VariantClear.OLEAUT32(?), ref: 005F17E7
VariantInit.OLEAUT32(00000000), ref: 005F1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 005F1625
Default, xrefs: 005F16AF

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 2d589e878b0f4d8d272cb24c57cb76a55c2a53001d363453aac46972a8ff63d2
Instruction ID: af1a729214d94d5fa148bb91be0a725a2708ca83b718ac30e9d29c6f1c4ed1a1
Opcode Fuzzy Hash: 2d589e878b0f4d8d272cb24c57cb76a55c2a53001d363453aac46972a8ff63d2
Instruction Fuzzy Hash: 5CD1F471A00A19DBDF04AF65E489B7DBFB6BF85700F148456EA06AB180DB38DC40DFA5

Function 0060B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 0060C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060B6AE,?,?), ref: 0060C9B5
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060C9F1
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA68
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0060B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0060B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0060B80A
RegCloseKey.ADVAPI32(?), ref: 0060B87E
RegCloseKey.ADVAPI32(?), ref: 0060B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0060B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0060B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0060B922
FreeLibrary.KERNEL32(00000000), ref: 0060B983
RegCloseKey.ADVAPI32(00000000), ref: 0060B994

Strings

advapi32.dll, xrefs: 0060B8ED
RegDeleteKeyExW, xrefs: 0060B8FE

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: a0553722eca7c275cabb294a24a555e7915137ca674ee637081211dde76bf515
Instruction ID: 3f5f2a621761272dee01d1b85ce2d116244f306d959a6a9e218bceb4f06d39eb
Opcode Fuzzy Hash: a0553722eca7c275cabb294a24a555e7915137ca674ee637081211dde76bf515
Instruction Fuzzy Hash: 4AC19D30248202AFD714DF14C495F6ABBE6BF84318F18D55CE55A5B3A2CB71EC45CB91

Function 0060255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006025D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 006025E8
CreateCompatibleDC.GDI32(?), ref: 006025F4
SelectObject.GDI32(00000000,?), ref: 00602601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0060266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 006026AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 006026D0
SelectObject.GDI32(?,?), ref: 006026D8
DeleteObject.GDI32(?), ref: 006026E1
DeleteDC.GDI32(?), ref: 006026E8
ReleaseDC.USER32(00000000,?), ref: 006026F3

Strings

(, xrefs: 0060268D

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: aa6234c9de3032d3cd3a06c311e0c38d019da46f754f84cef0e0e2bc4ef69333
Instruction ID: e14dda0501d117470861a20ffedfb7e4da6c8b3c9e31932dd554ed97235dcc47
Opcode Fuzzy Hash: aa6234c9de3032d3cd3a06c311e0c38d019da46f754f84cef0e0e2bc4ef69333
Instruction Fuzzy Hash: 13611375D4021AEFCF04CFA4C888AAEBBB6FF48310F24842AE955A7250D371A941CF94

Function 005BDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 005BDAA1

Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD659
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD66B
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD67D
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD68F
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD6A1
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD6B3
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD6C5
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD6D7
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD6E9
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD6FB
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD70D
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD71F
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD731

_free.LIBCMT ref: 005BDA96

Part of subcall function 005B29C8: HeapFree.KERNEL32(00000000,00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000), ref: 005B29DE
Part of subcall function 005B29C8: GetLastError.KERNEL32(00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000,00000000), ref: 005B29F0

_free.LIBCMT ref: 005BDAB8
_free.LIBCMT ref: 005BDACD
_free.LIBCMT ref: 005BDAD8
_free.LIBCMT ref: 005BDAFA
_free.LIBCMT ref: 005BDB0D
_free.LIBCMT ref: 005BDB1B
_free.LIBCMT ref: 005BDB26
_free.LIBCMT ref: 005BDB5E
_free.LIBCMT ref: 005BDB65
_free.LIBCMT ref: 005BDB82
_free.LIBCMT ref: 005BDB9A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: bff1e64ba62f66ca6d2412e7f46bab5328bbd7424684b147279ae2e10b0c4c4c
Instruction ID: 94c5c71f87c16e6973d2e5d253f1888fbe1e99d54f9942515d41c146baa21af9
Opcode Fuzzy Hash: bff1e64ba62f66ca6d2412e7f46bab5328bbd7424684b147279ae2e10b0c4c4c
Instruction Fuzzy Hash: BD310B31604606AFEB21AB39E849BD6BFF9FF50321F154819E45DD7191EA35BC808B34

Function 005E365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 005E369C
_wcslen.LIBCMT ref: 005E36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 005E3797
GetClassNameW.USER32(?,?,00000400), ref: 005E380C
GetDlgCtrlID.USER32(?), ref: 005E385D
GetWindowRect.USER32(?,?), ref: 005E3882
GetParent.USER32(?), ref: 005E38A0
ScreenToClient.USER32(00000000), ref: 005E38A7
GetClassNameW.USER32(?,?,00000100), ref: 005E3921
GetWindowTextW.USER32(?,?,00000400), ref: 005E395D

Strings

%s%u, xrefs: 005E3734

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: e1b1e994dcff65b9195ee0686d2c01e174d8602aae4252fcd6fcf437a08cc023
Instruction ID: 9e95489210f3405880f24a40c31386584e3daa78b3b71b502a88c34f54ea252e
Opcode Fuzzy Hash: e1b1e994dcff65b9195ee0686d2c01e174d8602aae4252fcd6fcf437a08cc023
Instruction Fuzzy Hash: 0491AF71204646AFD718DF26C889FEABBA9FF84350F008529F9D9D3191DB30EA45CB91

Function 005E4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 005E4994
GetWindowTextW.USER32(?,?,00000400), ref: 005E49DA
_wcslen.LIBCMT ref: 005E49EB
CharUpperBuffW.USER32(?,00000000), ref: 005E49F7
_wcsstr.LIBVCRUNTIME ref: 005E4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 005E4A64
GetWindowTextW.USER32(?,?,00000400), ref: 005E4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 005E4AE6
GetClassNameW.USER32(?,?,00000400), ref: 005E4B20
GetWindowRect.USER32(?,?), ref: 005E4B8B

Strings

ThumbnailClass, xrefs: 005E4A6F, 005E4AF1

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a5bf1fea463bc0b089830f3824352812fe244565a1dc5581e5a0b981cb2b3b30
Instruction ID: fbffe54d966f935fcc76907868a317c4ea0179cee9c181a2505851384ab4f7cc
Opcode Fuzzy Hash: a5bf1fea463bc0b089830f3824352812fe244565a1dc5581e5a0b981cb2b3b30
Instruction Fuzzy Hash: 77919C710042469BDB08DF16C985FAA7BA9FF84314F04846AFDC59A096EB34ED45CFA1

Function 00618D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00618D5A
GetFocus.USER32 ref: 00618D6A
GetDlgCtrlID.USER32(00000000), ref: 00618D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00618E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00618ECF
GetMenuItemCount.USER32(?), ref: 00618EEC
GetMenuItemID.USER32(?,00000000), ref: 00618EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00618F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00618F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00618FA1

Strings

0, xrefs: 00618E9F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: c2b6e55d6ea41c89cb3ce0d8cc1876008224a01d3c751559e365fcdd43c78c91
Instruction ID: 69b339ca4fb7be8f77eea87f6a7be7bd6b0d7c50b3c1cc10456adc054097422c
Opcode Fuzzy Hash: c2b6e55d6ea41c89cb3ce0d8cc1876008224a01d3c751559e365fcdd43c78c91
Instruction Fuzzy Hash: 4D817C715083019FDB10CF24D884AEBBBEBFB89364F18491EF99597291DB70D981CBA1

Function 005EDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 005EDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005EDC46
_wcslen.LIBCMT ref: 005EDC50
_wcsstr.LIBVCRUNTIME ref: 005EDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 005EDCBC

Strings

%u.%u.%u.%u, xrefs: 005EDD9A
\VarFileInfo\Translation, xrefs: 005EDCB4
04090000, xrefs: 005EDCF2
StringFileInfo\, xrefs: 005EDC8F
DefaultLangCodepage, xrefs: 005EDD1F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 122f3438fa36824e53aa527c5e528be92bc720ae977c728306f7fc59d79a7b85
Instruction ID: 73c7825ec669c0464bcb00da59f06a1a6ee36f8a4180d3dc2830978f2075cba0
Opcode Fuzzy Hash: 122f3438fa36824e53aa527c5e528be92bc720ae977c728306f7fc59d79a7b85
Instruction Fuzzy Hash: 9C41F072A402167ADB04A765DC0BEFF7FBCFF82760F140069F900E6182EA70990197B5

Function 0060CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0060CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0060CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0060CD48

Part of subcall function 0060CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0060CCAA
Part of subcall function 0060CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0060CCBD
Part of subcall function 0060CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0060CCCF
Part of subcall function 0060CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0060CD05
Part of subcall function 0060CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0060CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0060CCF3

Strings

advapi32.dll, xrefs: 0060CCB8
RegDeleteKeyExW, xrefs: 0060CCC9

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 6baf5dbbcbc6db55785ffb4ed1d4de6ad7a1bd976d14d7210b7f9af151b1e867
Instruction ID: 59b90d05adfef9d636b28194f85803b1cbc3ab60000a4dead34c3a2788f7ec99
Opcode Fuzzy Hash: 6baf5dbbcbc6db55785ffb4ed1d4de6ad7a1bd976d14d7210b7f9af151b1e867
Instruction Fuzzy Hash: 45319271981128BBD7248B54DC88EFFBB7EEF45760F044266F905E2290D7309E45DAA0

Function 005F3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005F3D40
_wcslen.LIBCMT ref: 005F3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 005F3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 005F3DBE
RemoveDirectoryW.KERNEL32(?), ref: 005F3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 005F3E55
CloseHandle.KERNEL32(00000000), ref: 005F3E60
CloseHandle.KERNEL32(00000000), ref: 005F3E6B

Strings

:, xrefs: 005F3D82
\??\%s, xrefs: 005F3D5B
\, xrefs: 005F3D77

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 461e76bccdd1272ad270152ac87256cc56ace7880d03810558ee38afdb040fcb
Instruction ID: 6c76612325ff0acb26396d2fd97149f8abb0c3ddf905b939724423d5a663b437
Opcode Fuzzy Hash: 461e76bccdd1272ad270152ac87256cc56ace7880d03810558ee38afdb040fcb
Instruction Fuzzy Hash: 0231A1B194021AABEB209BA0DC49FEF3BBDFF89750F1440B6F605D6060EB7497448B24

Function 005EE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 005EE6B4

Part of subcall function 0059E551: timeGetTime.WINMM(?,?,005EE6D4), ref: 0059E555

Sleep.KERNEL32(0000000A), ref: 005EE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 005EE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 005EE727
SetActiveWindow.USER32 ref: 005EE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005EE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 005EE773
Sleep.KERNEL32(000000FA), ref: 005EE77E
IsWindow.USER32 ref: 005EE78A
EndDialog.USER32(00000000), ref: 005EE79B

Strings

BUTTON, xrefs: 005EE719

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 74ce3ce517e3f99612b532dbb677d23071e05a5d1507ccec14da18dba0fd1bdc
Instruction ID: 6afceee5f3fb05b2994a8726c0674d391e36c5cdaa142227ac7705ce003cee8a
Opcode Fuzzy Hash: 74ce3ce517e3f99612b532dbb677d23071e05a5d1507ccec14da18dba0fd1bdc
Instruction Fuzzy Hash: 6621D5B0250382AFEB049F21EC9FB693F6BF75635AF04B426F445821B1DB71AC408B64

Function 005EE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005EEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 005EEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005EEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 005EEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 005EEAA7

Strings

play PlayMe wait, xrefs: 005EEA91
open , xrefs: 005EEA0C
close PlayMe, xrefs: 005EEA6E, 005EEA9B
play PlayMe, xrefs: 005EEAA2
status PlayMe mode, xrefs: 005EEA58
alias PlayMe, xrefs: 005EEA36

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 4c111b8127e241d3a18dfe718e6d0763eb4f60ee02bba872c90235eea83d78b4
Instruction ID: 40a9b1bab766f441551fabcf8c9d2a34ae4cc8d13cdf637f2134b9dba8a2ae8c
Opcode Fuzzy Hash: 4c111b8127e241d3a18dfe718e6d0763eb4f60ee02bba872c90235eea83d78b4
Instruction Fuzzy Hash: 2E115431A5025A79E724B762DC4FDFF6E7DFBD2B40F050429B811A20D1EEB00905C6B1

Function 005E5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 005E5CE2
GetWindowRect.USER32(00000000,?), ref: 005E5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 005E5D59
GetDlgItem.USER32(?,00000002), ref: 005E5D69
GetWindowRect.USER32(00000000,?), ref: 005E5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 005E5DCF
GetDlgItem.USER32(?,000003E9), ref: 005E5DDD
GetWindowRect.USER32(00000000,?), ref: 005E5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 005E5E31
GetDlgItem.USER32(?,000003EA), ref: 005E5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005E5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 005E5E67

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: fbfff4ad80743a086a240883d5a316c9c47c36a45440e702866b549d8d0dd903
Instruction ID: e7737337234a1f0b590b73e5785b7c29b54218049b13a6b0b491787a00951771
Opcode Fuzzy Hash: fbfff4ad80743a086a240883d5a316c9c47c36a45440e702866b549d8d0dd903
Instruction Fuzzy Hash: 85513FB0B40615AFDF18CF69CD99AAEBBBAFB48314F148129F515E7290E7709E04CB50

Function 00598BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00598F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00598BE8,?,00000000,?,?,?,?,00598BBA,00000000,?), ref: 00598FC5

DestroyWindow.USER32(?), ref: 00598C81
KillTimer.USER32(00000000,?,?,?,?,00598BBA,00000000,?), ref: 00598D1B
DestroyAcceleratorTable.USER32(00000000), ref: 005D6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00598BBA,00000000,?), ref: 005D69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00598BBA,00000000,?), ref: 005D69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00598BBA,00000000), ref: 005D69D4
DeleteObject.GDI32(00000000), ref: 005D69E6

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 63616ebc858d838f4ef443eeaab6b5183d4babf8dd4d4c3dcfe710ba3c69510d
Instruction ID: fa5d23ae31f7562a32989d5deebf68fd517798924ed21c70d57cc56b6183dd4f
Opcode Fuzzy Hash: 63616ebc858d838f4ef443eeaab6b5183d4babf8dd4d4c3dcfe710ba3c69510d
Instruction Fuzzy Hash: 45615A31502701DFCF35DF18D958B797BB2FB46322F14A91AE0829B6A0CB71AD91DB90

Function 00599838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00599944: GetWindowLongW.USER32(?,000000EB), ref: 00599952

GetSysColor.USER32(0000000F), ref: 00599862

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 6acf32cccc8131a13f4fdde31e63c6c7c007ed3a87ab986ce399438e0f898468
Instruction ID: 79013d30fe3bc1914f4eb2351613b97cf3d9b0d260e3ced57f3cef653fa75d19
Opcode Fuzzy Hash: 6acf32cccc8131a13f4fdde31e63c6c7c007ed3a87ab986ce399438e0f898468
Instruction Fuzzy Hash: ED418F31144644AFDF209F3C9C89BB93F66BB0A331F18561EF9A2872E1E7319842DB51

Function 005B8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.Z, xrefs: 005B903A, 005B8FD0, 005B8FF2

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: .Z
API String ID: 0-572057124
Opcode ID: 563aae4ea11c6102a382f543d3955855adf1387b6361f722d53edd3c6b1c1368
Instruction ID: de00e7d3899d5a84c7bed28b138f2590e890e8e83ff3a272657a248aae74272d
Opcode Fuzzy Hash: 563aae4ea11c6102a382f543d3955855adf1387b6361f722d53edd3c6b1c1368
Instruction Fuzzy Hash: 17C1E27490424AAFDB11EFA8D849BFDBFB5BF4A310F184199F914A7392C730A941CB61

Function 005E96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,005CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 005E9717
LoadStringW.USER32(00000000,?,005CF7F8,00000001), ref: 005E9720

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,005CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 005E9742
LoadStringW.USER32(00000000,?,005CF7F8,00000001), ref: 005E9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 005E9866

Strings

^ ERROR, xrefs: 005E97FB
Line %d (File "%s"):, xrefs: 005E978F
Line %d:, xrefs: 005E97A0
Error: , xrefs: 005E981D
%s (%d) : ==> %s: %s %s, xrefs: 005E984A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: bf35ebf32ffd1ab7c2c0f6b89eeabc10b539cfbb9234d8ab264f4c892c2a2ed0
Instruction ID: a046bb46ec51227ac8e1b1e82af7bf5de1a104d1627316ee1ae7addc1204b4f0
Opcode Fuzzy Hash: bf35ebf32ffd1ab7c2c0f6b89eeabc10b539cfbb9234d8ab264f4c892c2a2ed0
Instruction Fuzzy Hash: 02413D7280420AAADF04FBE0CD4ADEE7B79BF95740F144425FA0572092EE256F49CB61

Function 005E06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005E07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005E07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005E07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 005E0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 005E082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005E0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005E083C

Strings

\IPC$, xrefs: 005E0784
SOFTWARE\Classes\, xrefs: 005E070E
\CLSID, xrefs: 005E0724

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 22ad5f716b510f7ac4e9b817bd48bd1d51a84485c1ea72772f664253ef8f8d5c
Instruction ID: 6ee5a3853c6566bc8b6dcd001b80df7eecbc085249c70f3a6c9a64a59d587ac6
Opcode Fuzzy Hash: 22ad5f716b510f7ac4e9b817bd48bd1d51a84485c1ea72772f664253ef8f8d5c
Instruction Fuzzy Hash: 59411972C1022AABDF15EBA4DC998EDBB79FF44750F14412AE901B31A1EB709E44CB90

Function 00603C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00603C5C
CoInitialize.OLE32(00000000), ref: 00603C8A
CoUninitialize.OLE32 ref: 00603C94
_wcslen.LIBCMT ref: 00603D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00603DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00603ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00603F0E
CoGetObject.OLE32(?,00000000,0061FB98,?), ref: 00603F2D
SetErrorMode.KERNEL32(00000000), ref: 00603F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00603FC4
VariantClear.OLEAUT32(?), ref: 00603FD8

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 2225d7a92c731506211b85f94d13251a24128365fb1df4d60ffb370cc1fb1cd1
Instruction ID: cc9e5f5dc3099e09af83b9758a82001ec5ab58f1b10ef1a7f5b9e8f200ff115e
Opcode Fuzzy Hash: 2225d7a92c731506211b85f94d13251a24128365fb1df4d60ffb370cc1fb1cd1
Instruction Fuzzy Hash: D7C133716482129FD704DF28C88496BBBEAFF89745F04491DF98A9B390DB30ED06CB52

Function 005F7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005F7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005F7B8F
SHGetDesktopFolder.SHELL32(?), ref: 005F7BA3
CoCreateInstance.OLE32(0061FD08,00000000,00000001,00646E6C,?), ref: 005F7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005F7C74
CoTaskMemFree.OLE32(?,?), ref: 005F7CCC
SHBrowseForFolderW.SHELL32(?), ref: 005F7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005F7D7A
CoTaskMemFree.OLE32(00000000), ref: 005F7D81
CoTaskMemFree.OLE32(00000000), ref: 005F7DD6
CoUninitialize.OLE32 ref: 005F7DDC

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 04f54fc581f82f2cbc72f6734f958480ca1d68bda98557d76eb2f716a7e03d20
Instruction ID: b621c1c226b30afe745cf4f1e3e48f784603284b53a5ab07a526edd00336111a
Opcode Fuzzy Hash: 04f54fc581f82f2cbc72f6734f958480ca1d68bda98557d76eb2f716a7e03d20
Instruction Fuzzy Hash: 19C12B75A04109AFCB14DFA4C888DAEBFF9FF48314B148499E919EB261D734EE41CB90

Function 0061541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00615504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00615515
CharNextW.USER32(00000158), ref: 00615544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00615585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0061559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006155AC

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 9bf5113b031655652f3eaa521414c3a23304d49947427febfa57fbb278067ad6
Instruction ID: 8fae9ee0c1182e74902489bc1f43fef8d8342b70ced4c1a0ea5094e8b48fdc81
Opcode Fuzzy Hash: 9bf5113b031655652f3eaa521414c3a23304d49947427febfa57fbb278067ad6
Instruction Fuzzy Hash: 8E619230900609EFDF109F54CC849FEBBBBEB89721F188545F526AA290D7748AC1DBA1

Function 005DFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 005DFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 005DFB08
VariantInit.OLEAUT32(?), ref: 005DFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 005DFB3A
VariantCopy.OLEAUT32(?,?), ref: 005DFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 005DFBA1
VariantClear.OLEAUT32(?), ref: 005DFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 005DFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005DFBCC
VariantClear.OLEAUT32(?), ref: 005DFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005DFBE9

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0718c153349c2905cea820150074cf494869957a9516a7c0d115965d93da9b71
Instruction ID: 19e4451ef45328c139085465177acaea6585280d8956eae5f3ae961f52f40b50
Opcode Fuzzy Hash: 0718c153349c2905cea820150074cf494869957a9516a7c0d115965d93da9b71
Instruction Fuzzy Hash: DA413135A04219DFDB10DF68D8589EDBFB9FF48354F04806BE946A7361D730A945CB90

Function 005E9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 005E9CA1
GetAsyncKeyState.USER32(000000A0), ref: 005E9D22
GetKeyState.USER32(000000A0), ref: 005E9D3D
GetAsyncKeyState.USER32(000000A1), ref: 005E9D57
GetKeyState.USER32(000000A1), ref: 005E9D6C
GetAsyncKeyState.USER32(00000011), ref: 005E9D84
GetKeyState.USER32(00000011), ref: 005E9D96
GetAsyncKeyState.USER32(00000012), ref: 005E9DAE
GetKeyState.USER32(00000012), ref: 005E9DC0
GetAsyncKeyState.USER32(0000005B), ref: 005E9DD8
GetKeyState.USER32(0000005B), ref: 005E9DEA

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0bb13039e8928057f5eb3c54d06d250574c80d304c4c07a98c844ad14838ca9c
Instruction ID: f368491abbf89fe727c4966c1d8136253042562712cb220235602b54a09203ff
Opcode Fuzzy Hash: 0bb13039e8928057f5eb3c54d06d250574c80d304c4c07a98c844ad14838ca9c
Instruction Fuzzy Hash: A84107745047D96EFF389B6289043F5BEE17F11304F08805ACAC6561C2DBA49DD8C7A2

Function 0060055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006005BC
inet_addr.WSOCK32(?), ref: 0060061C
gethostbyname.WSOCK32(?), ref: 00600628
IcmpCreateFile.IPHLPAPI ref: 00600636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006006C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006006E5
IcmpCloseHandle.IPHLPAPI(?), ref: 006007B9
WSACleanup.WSOCK32 ref: 006007BF

Strings

Ping, xrefs: 00600676

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 494bd9d8d2f9bb7fd15297256b4f895b8f64de628c2395092cfb2264e225f56f
Instruction ID: 3fe04391c8a20f31172018061d5f6681fadc8fb9217642e16caa78fa0aee307b
Opcode Fuzzy Hash: 494bd9d8d2f9bb7fd15297256b4f895b8f64de628c2395092cfb2264e225f56f
Instruction Fuzzy Hash: 7191BF346442019FE724DF14C888F5ABBE2BF84318F1885A9F4699B7A2C774EC41CF81

Function 00608CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00608CF3

Part of subcall function 005E8E54: _wcslen.LIBCMT ref: 005E8E77

_wcslen.LIBCMT ref: 00608D4E
_wcslen.LIBCMT ref: 00608D9C
_wcslen.LIBCMT ref: 00608DDC
_wcslen.LIBCMT ref: 00608E6E

Strings

none, xrefs: 00608E65, 00608E6A
cdecl, xrefs: 00608D48, 00608D4D
winapi, xrefs: 00608D96, 00608D9B
stdcall, xrefs: 00608DD6, 00608DDB

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: a990e92dfb97a1e9c951a777960704999c2ea9f93518c472a4750e26a1ded6ff
Instruction ID: b58aeaafa3d985d4671e0c4745e9c75f2321261acaf50fca6bcaae7b15e81c4a
Opcode Fuzzy Hash: a990e92dfb97a1e9c951a777960704999c2ea9f93518c472a4750e26a1ded6ff
Instruction Fuzzy Hash: 16518E31A405179FCB18DF68C9508FFB7A6BFA5720B254229E8A6A73C4DB30DD41CB90

Function 0060372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00603774
CoUninitialize.OLE32 ref: 0060377F
CoCreateInstance.OLE32(?,00000000,00000017,0061FB78,?), ref: 006037D9
IIDFromString.OLE32(?,?), ref: 0060384C
VariantInit.OLEAUT32(?), ref: 006038E4
VariantClear.OLEAUT32(?), ref: 00603936

Strings

Invalid parameter, xrefs: 00603865
NULL Pointer assignment, xrefs: 0060381E
Failed to create object, xrefs: 006037E4, 0060389A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: aeff653869d7a9cfe7b12cfd89674acd5468a3520fa7dfd01205b31eb2e3f1f9
Instruction ID: c71d4f91443bec4a5dfca83f23035bfff72c560d80b4d0e833fa11ed6eba1a24
Opcode Fuzzy Hash: aeff653869d7a9cfe7b12cfd89674acd5468a3520fa7dfd01205b31eb2e3f1f9
Instruction Fuzzy Hash: 6C61CF70248311AFD314DF54C888BABBBEABF88711F044849F9859B391D770EE49CB92

Function 00618B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

Part of subcall function 0059912D: GetCursorPos.USER32(?), ref: 00599141
Part of subcall function 0059912D: ScreenToClient.USER32(00000000,?), ref: 0059915E
Part of subcall function 0059912D: GetAsyncKeyState.USER32(00000001), ref: 00599183
Part of subcall function 0059912D: GetAsyncKeyState.USER32(00000002), ref: 0059919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00618B6B
ImageList_EndDrag.COMCTL32 ref: 00618B71
ReleaseCapture.USER32 ref: 00618B77
SetWindowTextW.USER32(?,00000000), ref: 00618C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00618C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00618CFF

Strings

p#e, xrefs: 00618C71
@GUI_DRAGFILE, xrefs: 00618C9A
@GUI_DROPID, xrefs: 00618C51

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#e
API String ID: 1924731296-1096792570
Opcode ID: 4955bc6fdb4d61a76e85f4be3c1e2e051211a709629e4f91d742eec64089e893
Instruction ID: 007535ba31f90fa21de593bf1f246497598d5174d505eb21050a195d3f293797
Opcode Fuzzy Hash: 4955bc6fdb4d61a76e85f4be3c1e2e051211a709629e4f91d742eec64089e893
Instruction Fuzzy Hash: 4E517C70204305AFD700EF24DC5ABAE7BE6FB89715F04062DF956A72A1CB719D44CBA2

Function 005F3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005F33CF

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005F33F0

Strings

Line %d (File "%s"):, xrefs: 005F3443, 005F345C
"%s" (%d) : ==> %s:%s%s, xrefs: 005F3504
Error: , xrefs: 005F34D1
Incorrect parameters to object property !, xrefs: 005F34AB
^ ERROR , xrefs: 005F349E
"%s" (%d) : ==> %s:, xrefs: 005F3522

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 81b7d8cf46d78c356beb932a4770b44254a9d64b050657f0de9f953adbda3a85
Instruction ID: 8b72b28225ba5646181d4841acfb4fd5e0648431b38500572dc4c6c57ba84d81
Opcode Fuzzy Hash: 81b7d8cf46d78c356beb932a4770b44254a9d64b050657f0de9f953adbda3a85
Instruction Fuzzy Hash: 9F519F7190020AAADF14FBA0CD4AEFEBB7ABF85300F144465F90572062EB252F58DB61

Function 005EB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005EB5FC
_wcslen.LIBCMT ref: 005EB608
_wcslen.LIBCMT ref: 005EB64D
_wcslen.LIBCMT ref: 005EB68C
_wcslen.LIBCMT ref: 005EB6C7

Strings

EXISTS, xrefs: 005EB686, 005EB68B
APPEND, xrefs: 005EB6C1, 005EB6C6
REMOVE, xrefs: 005EB602, 005EB607
KEYS, xrefs: 005EB647, 005EB64C

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 6d83a4f9d704a935ae5f56936a4a248218f2e020006bca2f337a852e52429189
Instruction ID: 67d70d6b26b539af11192d8a46885b8a08d95dd888d68d47d57c0a507e8ef376
Opcode Fuzzy Hash: 6d83a4f9d704a935ae5f56936a4a248218f2e020006bca2f337a852e52429189
Instruction Fuzzy Hash: 0A410A32A001679ADB246F7EC8905BFBFB5BFA1795B244129E4A1D7284E731CD81C790

Function 005F5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005F53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 005F5416
GetLastError.KERNEL32 ref: 005F5420
SetErrorMode.KERNEL32(00000000,READY), ref: 005F54A7

Strings

READY, xrefs: 005F5460, 005F5468
UNKNOWN, xrefs: 005F5444
READONLY, xrefs: 005F5452
NOTREADY, xrefs: 005F544B
INVALID, xrefs: 005F5459

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a5138fd60eeaa8b2c0b01cb5b923a1609138cc6585866d25b3a6478a163a00a4
Instruction ID: 0b21e93ac8fcc9433da245b2c140e907c85c0df6be51cbe8c5bcef5fc1e8b62e
Opcode Fuzzy Hash: a5138fd60eeaa8b2c0b01cb5b923a1609138cc6585866d25b3a6478a163a00a4
Instruction Fuzzy Hash: ED31B335A006099FCB10DF68C488BBABFB5FF45305F188059EA05DB252E775DD86CBA1

Function 00613C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00613C79
SetMenu.USER32(?,00000000), ref: 00613C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00613D10
IsMenu.USER32(?), ref: 00613D24
CreatePopupMenu.USER32 ref: 00613D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00613D5B
DrawMenuBar.USER32 ref: 00613D63

Strings

0, xrefs: 00613C54
F, xrefs: 00613D4E

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 4f4932fc3e59bcd06c6b30589145224be533b2435c78c0672f4675f59d292028
Instruction ID: d62f3fac65b431999197ddfd42eeb22f2db3b5345349c6aa2db764293ec22e02
Opcode Fuzzy Hash: 4f4932fc3e59bcd06c6b30589145224be533b2435c78c0672f4675f59d292028
Instruction Fuzzy Hash: 14416779A01219AFDB14CF64E884AEA7BB6FF49354F184029E946A7360D770AA10CB94

Function 005E1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 005E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005E3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 005E1F64
GetDlgCtrlID.USER32 ref: 005E1F6F
GetParent.USER32 ref: 005E1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 005E1F8E
GetDlgCtrlID.USER32(?), ref: 005E1F97
GetParent.USER32(?), ref: 005E1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 005E1FAE

Strings

ComboBox, xrefs: 005E1EEC
ListBox, xrefs: 005E1F21

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 3c4ce779be2d17874f1181b33e3b7a852b183e5e6df4e2467a6f8e68c1d08da6
Instruction ID: dd0461360c1f7ca3e05f2627a65e804f0f6a58b688406bf4374ce3ccb490be8d
Opcode Fuzzy Hash: 3c4ce779be2d17874f1181b33e3b7a852b183e5e6df4e2467a6f8e68c1d08da6
Instruction Fuzzy Hash: EB21AF70940214ABCF04AFA1CC89DFEBFA9FF45310B145116B9A567291DB355904DBA4

Function 00613A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00613A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00613AA0
GetWindowLongW.USER32(?,000000F0), ref: 00613AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00613AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00613B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00613BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00613BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00613BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00613BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00613C13

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: cc63b96557194b0a6099e5c05b8f0532574d2cf5da9d26e42a185dbe45e0c484
Instruction ID: a1b2757bd07508a43a022a792cc07eb5582dafb7d8d8fe028753263019e06448
Opcode Fuzzy Hash: cc63b96557194b0a6099e5c05b8f0532574d2cf5da9d26e42a185dbe45e0c484
Instruction Fuzzy Hash: 08619A75900258AFDB10DFA8CC81EEE77B9EB09310F14419AFA15AB3A1D770AE81DB50

Function 005EB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005EB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,005EA1E1,?,00000001), ref: 005EB165
GetWindowThreadProcessId.USER32(00000000), ref: 005EB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005EA1E1,?,00000001), ref: 005EB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 005EB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,005EA1E1,?,00000001), ref: 005EB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005EA1E1,?,00000001), ref: 005EB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,005EA1E1,?,00000001), ref: 005EB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,005EA1E1,?,00000001), ref: 005EB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,005EA1E1,?,00000001), ref: 005EB21D

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: a294c0b6932338be2a63d67a4b67e94ab4b3ddada17c7107f5b4d4d6a418ac18
Instruction ID: a001f6f38d05548244bb18efa961a2cf8dcfb7ff0f3307756767b841c0a737b1
Opcode Fuzzy Hash: a294c0b6932338be2a63d67a4b67e94ab4b3ddada17c7107f5b4d4d6a418ac18
Instruction Fuzzy Hash: CB31AC79540354BFEB18DF25DC48BAE7FAABF50763F149005FA40D6290D7B49A008F64

Function 005B2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005B2C94

Part of subcall function 005B29C8: HeapFree.KERNEL32(00000000,00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000), ref: 005B29DE
Part of subcall function 005B29C8: GetLastError.KERNEL32(00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000,00000000), ref: 005B29F0

_free.LIBCMT ref: 005B2CA0
_free.LIBCMT ref: 005B2CAB
_free.LIBCMT ref: 005B2CB6
_free.LIBCMT ref: 005B2CC1
_free.LIBCMT ref: 005B2CCC
_free.LIBCMT ref: 005B2CD7
_free.LIBCMT ref: 005B2CE2
_free.LIBCMT ref: 005B2CED
_free.LIBCMT ref: 005B2CFB

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 958b8e5660d8463c1b7d31c9fb4606ab330286717d895aa087077b6ebe35f6f0
Instruction ID: 77a90cdfb58d8841efc75902c46adbe3c340455488423abb4172afe0f4723488
Opcode Fuzzy Hash: 958b8e5660d8463c1b7d31c9fb4606ab330286717d895aa087077b6ebe35f6f0
Instruction Fuzzy Hash: 1B116276500109BFCB02EF54D986CDD3FA5BF49350F5149A5FA4C9B222DA31FA909BA0

Function 005F7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005F7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 005F7FC1
GetFileAttributesW.KERNEL32(?), ref: 005F7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 005F8005
SetCurrentDirectoryW.KERNEL32(?), ref: 005F8017
SetCurrentDirectoryW.KERNEL32(?), ref: 005F8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005F80B0

Strings

*.*, xrefs: 005F8066

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 5e8ece8ee318201273c6636d85e99a6d88b9938ae9a2c3af1e5c2a8373c29408
Instruction ID: a6bc9ff36636aa1c57612e3325e1d3c6d84ae2cc6f545b1e83f378ea0de962bb
Opcode Fuzzy Hash: 5e8ece8ee318201273c6636d85e99a6d88b9938ae9a2c3af1e5c2a8373c29408
Instruction Fuzzy Hash: 56819D725082099BCB20EF24C8489BEBBE9BF89314F544C5EFA95D7250EB38DD458B52

Function 00585BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00585C7A

Part of subcall function 00585D0A: GetClientRect.USER32(?,?), ref: 00585D30
Part of subcall function 00585D0A: GetWindowRect.USER32(?,?), ref: 00585D71
Part of subcall function 00585D0A: ScreenToClient.USER32(?,?), ref: 00585D99

GetDC.USER32 ref: 005C46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 005C4708
SelectObject.GDI32(00000000,00000000), ref: 005C4716
SelectObject.GDI32(00000000,00000000), ref: 005C472B
ReleaseDC.USER32(?,00000000), ref: 005C4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005C47C4

Strings

U, xrefs: 005C4693

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 599854c6685d731939e1bd5cefd24b3b9333148b0da17a6999fc47dc1ccc465f
Instruction ID: 541ce78656780a79a3c8970bf928f3e0157f0cc9fc3041af3637fe6eaa722244
Opcode Fuzzy Hash: 599854c6685d731939e1bd5cefd24b3b9333148b0da17a6999fc47dc1ccc465f
Instruction Fuzzy Hash: 84719931400205DFCF219FA4C994EAA7FB6FF4A364F184269ED556A2AAD3318882DF50

Function 005F359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005F35E4

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

LoadStringW.USER32(00652390,?,00000FFF,?), ref: 005F360A

Strings

^ ERROR, xrefs: 005F36C9
Line %d (File "%s"):, xrefs: 005F366B
"%s" (%d) : ==> %s:%s%s, xrefs: 005F3724
Error: , xrefs: 005F36EF
"%s" (%d) : ==> %s:, xrefs: 005F3742

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: c3cb9d95f5f315a4b4487b10d4a72da0b8dad88f51fba4181859ba8c4b114e1e
Instruction ID: 61360197982ebb4a763822ba854230f3e6f04ad194686299ba549fa6acb0964e
Opcode Fuzzy Hash: c3cb9d95f5f315a4b4487b10d4a72da0b8dad88f51fba4181859ba8c4b114e1e
Instruction Fuzzy Hash: 5C513A7180020AAADF14FBA0CC4AEFEBF79BF85301F144125F605721A1EB351B99DBA1

Function 005FC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005FC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005FC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005FC2CA
GetLastError.KERNEL32 ref: 005FC322
SetEvent.KERNEL32(?), ref: 005FC336
InternetCloseHandle.WININET(00000000), ref: 005FC341

Strings

, xrefs: 005FC2BB

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 55fd6d6e0d431a000ab08f86b9c18732a7fa0c80f9ba9858d473b14802d85d87
Instruction ID: 5d6c73e7186b2ba9b182244d9f7235bd847625a9a692895635189afd95349ca8
Opcode Fuzzy Hash: 55fd6d6e0d431a000ab08f86b9c18732a7fa0c80f9ba9858d473b14802d85d87
Instruction Fuzzy Hash: C93171B164020CAFD7219F648D88ABF7FFDFB49794B14892EF54692240DB38DD049B61

Function 005E989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,005C3AAF,?,?,Bad directive syntax error,0061CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005E98BC
LoadStringW.USER32(00000000,?,005C3AAF,?), ref: 005E98C3

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 005E9987

Strings

Line %d (File "%s"):, xrefs: 005E992D
., xrefs: 005E996D
Line %d:, xrefs: 005E9912
%s (%d) : ==> %s.: %s %s, xrefs: 005E98F1
Error: , xrefs: 005E9955

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: c396ee9666ef6628c47b8b6abae1139d360c64fad8e8a38c5ac792a6e3adaaab
Instruction ID: 1831e97e5689ccb5020e4ab76d70ffd4832b0aea71e591d3bdf2c01ebb877b2e
Opcode Fuzzy Hash: c396ee9666ef6628c47b8b6abae1139d360c64fad8e8a38c5ac792a6e3adaaab
Instruction Fuzzy Hash: 8121803194021BABCF15AF90CC0AEEE7B76BF59700F084429F915720A2EB759A18CB51

Function 005E209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005E20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005E20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005E214D

Strings

details, xrefs: 005E20FB
SHELLDLL_DefView, xrefs: 005E20CC
list, xrefs: 005E212F
smallicons, xrefs: 005E2115
largeicons, xrefs: 005E20E1

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 843b1b11847211c4187ebc27df7c5d74b8f21789e287ba913a303e0f4b6f8073
Instruction ID: cf18bbdfa396266464bcab1c6aaaf43ef535395cb498765913f773c11846634c
Opcode Fuzzy Hash: 843b1b11847211c4187ebc27df7c5d74b8f21789e287ba913a303e0f4b6f8073
Instruction Fuzzy Hash: 12113A762C8707BBF70D2221DC0ADEA3F9DEB06324F200016F745A40E6FAB159419914

Function 005BCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 005BCEB7
_free.LIBCMT ref: 005BCF22
_free.LIBCMT ref: 005BCF48
_free.LIBCMT ref: 005BCF71
_free.LIBCMT ref: 005BCFA9
_free.LIBCMT ref: 005BCFDA
_free.LIBCMT ref: 005BD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 005BD09C
_free.LIBCMT ref: 005BD0B5

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 953c9844edd69f32c9ee2f7e71db6ca4aedb3df10cd14b7de8281a75383c700d
Instruction ID: 7921f0c8ce9711ebafdd97aa57dbdef8910872750344e27f861638ef401b5497
Opcode Fuzzy Hash: 953c9844edd69f32c9ee2f7e71db6ca4aedb3df10cd14b7de8281a75383c700d
Instruction Fuzzy Hash: 48614771904306AFDB21AFB49889AFE7FA6FF45310F1446ADF94597242E631BD008B64

Function 00598B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 005D6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005D68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005D68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005D68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005D68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00598874,00000000,00000000,00000000,000000FF,00000000), ref: 005D6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 005D691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00598874,00000000,00000000,00000000,000000FF,00000000), ref: 005D692D

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2ac061df274ced206bdfcff034763960652aa0b09b1be01f141e3c54999f7012
Instruction ID: c9979d388ff56e96af2c2ff1f484d669ae10cb8f013c9ef16531d8156d9b0c7e
Opcode Fuzzy Hash: 2ac061df274ced206bdfcff034763960652aa0b09b1be01f141e3c54999f7012
Instruction Fuzzy Hash: 21518870600209EFDF20CF28CC55FAA7BB6FB89760F18451AF952972A0DB70E991DB50

Function 005FC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005FC182
GetLastError.KERNEL32 ref: 005FC195
SetEvent.KERNEL32(?), ref: 005FC1A9

Part of subcall function 005FC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005FC272
Part of subcall function 005FC253: GetLastError.KERNEL32 ref: 005FC322
Part of subcall function 005FC253: SetEvent.KERNEL32(?), ref: 005FC336
Part of subcall function 005FC253: InternetCloseHandle.WININET(00000000), ref: 005FC341

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 8f6f7e6cf137c42ba23aa3f62c7a6c50333957e7188db3070a660650298e0887
Instruction ID: 124148affbe56cc02285837c9801022257073ccfadf085fa7065d2baf99a18ea
Opcode Fuzzy Hash: 8f6f7e6cf137c42ba23aa3f62c7a6c50333957e7188db3070a660650298e0887
Instruction Fuzzy Hash: 9031A17514060DAFDB219FA5DE44ABABFF9FF58310B04842EFA9682610C734E914DB60

Function 005E25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005E3A57
Part of subcall function 005E3A3D: GetCurrentThreadId.KERNEL32 ref: 005E3A5E
Part of subcall function 005E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005E25B3), ref: 005E3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005E25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005E25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005E25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005E25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005E2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 005E2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 005E260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005E2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 005E2627

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a195eaef08ec8eef26a8e98df70c287f1b54595e78dba90071e83a1e4624855e
Instruction ID: 0eead54c64f71ed9dff00c35b5a03068e4b38cd726362625991f90a5b846baa5
Opcode Fuzzy Hash: a195eaef08ec8eef26a8e98df70c287f1b54595e78dba90071e83a1e4624855e
Instruction Fuzzy Hash: 1101B5302D0354BBFB106769DC8EF9D3E5AEB8AB21F105012F358AF0D5C9E114449AA9

Function 005E1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,005E1449,?,?,00000000), ref: 005E180C
HeapAlloc.KERNEL32(00000000,?,005E1449,?,?,00000000), ref: 005E1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005E1449,?,?,00000000), ref: 005E1828
GetCurrentProcess.KERNEL32(?,00000000,?,005E1449,?,?,00000000), ref: 005E1830
DuplicateHandle.KERNEL32(00000000,?,005E1449,?,?,00000000), ref: 005E1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005E1449,?,?,00000000), ref: 005E1843
GetCurrentProcess.KERNEL32(005E1449,00000000,?,005E1449,?,?,00000000), ref: 005E184B
DuplicateHandle.KERNEL32(00000000,?,005E1449,?,?,00000000), ref: 005E184E
CreateThread.KERNEL32(00000000,00000000,005E1874,00000000,00000000,00000000), ref: 005E1868

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 57298dd5da0c68e45fef432f597c941488c647c3374faf95316db5bb9820af89
Instruction ID: de2144346a22f212eb9674165833dde58122bf0d2c9b6de712f3814f9506575e
Opcode Fuzzy Hash: 57298dd5da0c68e45fef432f597c941488c647c3374faf95316db5bb9820af89
Instruction Fuzzy Hash: 3A01BFB52C0744BFE710AB65DC4EF9B7B6DEB89B11F049411FA05DB191C6709800CB20

Function 005B3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 005B3F0B
__alldvrm.LIBCMT ref: 005B410C
__alldvrm.LIBCMT ref: 005B412E

Strings

}}Z, xrefs: 005B40CD
}}Z, xrefs: 005B3E8A
}}Z, xrefs: 005B3E96, 005B3EF1, 005B3F0A, 005B4090

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}Z$}}Z$}}Z
API String ID: 1036877536-3979346897
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: dd54a2950310aae5c04c681de8c95f70186897f6e6e34d060246170b5e3dcbc4
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: B0A13671E007869FDB25DE18C8957FEBFE5FF62350F18416DE5859B282C238A981CB50

Function 0060A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 005ED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 005ED501
Part of subcall function 005ED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 005ED50F
Part of subcall function 005ED4DC: CloseHandle.KERNELBASE(00000000), ref: 005ED5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0060A16D
GetLastError.KERNEL32 ref: 0060A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0060A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0060A268
GetLastError.KERNEL32(00000000), ref: 0060A273
CloseHandle.KERNEL32(00000000), ref: 0060A2C4

Strings

SeDebugPrivilege, xrefs: 0060A18F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1fa7fa5a56e3b8e5d6ab676d2b32d1c13ade662986be94dd6fb2a2672fed00b0
Instruction ID: 5a8f66be46f6e6cf08cc7f637c2e47ce742a7299afe66fa20e6fc9ce5a823451
Opcode Fuzzy Hash: 1fa7fa5a56e3b8e5d6ab676d2b32d1c13ade662986be94dd6fb2a2672fed00b0
Instruction Fuzzy Hash: 9B618C30244342AFD714DF55C498F5ABBA2AF84358F18849CE4668BBA3C772ED45CB92

Function 00613886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00613925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0061393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00613954
_wcslen.LIBCMT ref: 00613999
SendMessageW.USER32(?,00001057,00000000,?), ref: 006139C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006139F4

Strings

SysListView32, xrefs: 006138F7

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: ceafc7f20c0fe6acbb555a9f8ef3865f24785ac05ef61759418dbdd5144d227c
Instruction ID: da334ab4c14c167b8815e4e36b17ec735b9559c1eb0f09eee1f553061da1b952
Opcode Fuzzy Hash: ceafc7f20c0fe6acbb555a9f8ef3865f24785ac05ef61759418dbdd5144d227c
Instruction Fuzzy Hash: C541A371A00219ABEF219F64CC49BEE7BAAFF48350F140526F959E7381D7719E84CB90

Function 005EBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005EBCFD
IsMenu.USER32(00000000), ref: 005EBD1D
CreatePopupMenu.USER32 ref: 005EBD53
GetMenuItemCount.USER32(015656F8), ref: 005EBDA4
InsertMenuItemW.USER32(015656F8,?,00000001,00000030), ref: 005EBDCC

Strings

2, xrefs: 005EBD37
0, xrefs: 005EBCA8

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 8e722f69d79aac438d27a9c1433f9edba08cbcf0e28e98acb2cccbf3bc4acc5b
Instruction ID: b7f2dd68f8a880339e65e228f3973f2dcc7834704550aec5f5a9e18468786247
Opcode Fuzzy Hash: 8e722f69d79aac438d27a9c1433f9edba08cbcf0e28e98acb2cccbf3bc4acc5b
Instruction Fuzzy Hash: 6251D170A0028A9BEF18CFAACE88BAFBFF5BF45316F148159E491D7290D7709940CB51

Function 005A2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005A2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 005A2D53
_ValidateLocalCookies.LIBCMT ref: 005A2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 005A2E0C
_ValidateLocalCookies.LIBCMT ref: 005A2E61

Strings

&HZ, xrefs: 005A2DFE, 005A2E07, 005A2E18
csm, xrefs: 005A2DF6

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HZ$csm
API String ID: 1170836740-3069864593
Opcode ID: fd4c9fd5c432b96565d0de94e914c589a820b79a0296604a0f81d5ab0cd5d2e2
Instruction ID: 8d97833571b92919cd2e30723a6a72d707c2c1bb910938419147496dd4115f8f
Opcode Fuzzy Hash: fd4c9fd5c432b96565d0de94e914c589a820b79a0296604a0f81d5ab0cd5d2e2
Instruction Fuzzy Hash: 86417134A0120AABCF10DF6CC856A9EBFA5BF86328F148155E814AB353D735DE56CB90

Function 005EC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 005EC913

Strings

warning, xrefs: 005EC8FC
info, xrefs: 005EC8B4
stop, xrefs: 005EC8E4
question, xrefs: 005EC8CC
blank, xrefs: 005EC895

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 95e3f9e10cb32de1680c06eaf3a05bc494f6d4a46449736ff29b83424aa7eef8
Instruction ID: 60f11ba1b258f55f90bad220468c67b3489fe7f10bd4cd30a903c9d60b0cd51d
Opcode Fuzzy Hash: 95e3f9e10cb32de1680c06eaf3a05bc494f6d4a46449736ff29b83424aa7eef8
Instruction Fuzzy Hash: 95115B31689347BAE7089B55DC82CAE2F9CFF16724B11002AF440E6183D7B4ED415669

Function 006140AD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0058600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0058604C
Part of subcall function 0058600E: GetStockObject.GDI32(00000011), ref: 00586060
Part of subcall function 0058600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0058606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00614112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0061411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0061412A
SendMessageW.USER32(?,00000401,00000000,_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{), ref: 00614139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00614145

Strings

Msctls_Progress32, xrefs: 006140E3
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 0061412C

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 1025951953-2851661608
Opcode ID: f1a303739460f764a7d1b2c41bea4d02ef2c7533bb19a12dda7ace2c011a7244
Instruction ID: 95bb7e2b7762469e6bed30ae9e05cb79287202abe0721ccc0630b55e11f15ff6
Opcode Fuzzy Hash: f1a303739460f764a7d1b2c41bea4d02ef2c7533bb19a12dda7ace2c011a7244
Instruction Fuzzy Hash: 9E11B6B2140219BEEF119F64CC86EE77F5EEF09798F014111FA18A6150CB729C61DBA4

Function 005EDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005EDE42
gethostname.WSOCK32(?,00000100), ref: 005EDE5C
gethostbyname.WSOCK32(?), ref: 005EDE69
inet_ntoa.WSOCK32(?), ref: 005EDEAB
_strcat.LIBCMT ref: 005EDEB9
WSACleanup.WSOCK32 ref: 005EDEDE

Strings

0.0.0.0, xrefs: 005EDE87

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: c0bdfc06a80806d709c584a1783cd0fdc4f0ba84bd4c3e7f865249b73c280c0e
Instruction ID: caa00988461ec10407e5dfa44eee6f7055e122583a34857f0c9a5806f3f2cac1
Opcode Fuzzy Hash: c0bdfc06a80806d709c584a1783cd0fdc4f0ba84bd4c3e7f865249b73c280c0e
Instruction Fuzzy Hash: BB11E771904115AFCB246B61DC4EDEF7FBDFB55720F05016AF44596091EFB18A818A60

Function 005EED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 005EED2A
_wcslen.LIBCMT ref: 005EED3B
_wcslen.LIBCMT ref: 005EED79
_wcslen.LIBCMT ref: 005EEDAF
_wcslen.LIBCMT ref: 005EEDDF
_wcslen.LIBCMT ref: 005EEDEF
_wcslen.LIBCMT ref: 005EEE2B
_wcslen.LIBCMT ref: 005EEE5A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: f0d7bb799f8bfdc160f7987e9d983afb804a8358ca862f928f2e0c69f99dc7a7
Instruction ID: 303f6f56d9b620b4046b38a7cb826e55058d11f66bd954f8943cf006aa6967e5
Opcode Fuzzy Hash: f0d7bb799f8bfdc160f7987e9d983afb804a8358ca862f928f2e0c69f99dc7a7
Instruction Fuzzy Hash: 15419265C10159A9CB11EBF48C8EACFBBACBF86310F508466E514E3122EB34D255C7A5

Function 0059F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,005D682C,00000004,00000000,00000000), ref: 0059F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,005D682C,00000004,00000000,00000000), ref: 005DF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,005D682C,00000004,00000000,00000000), ref: 005DF454

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ef75d15257b67a064a0ea27e3e4be8b91f98d065bf6cf461d9e78415f0eb7357
Instruction ID: 23b90a52de5eb829d1be95d3bf87b812842e870cea76bc824c636be83fe91437
Opcode Fuzzy Hash: ef75d15257b67a064a0ea27e3e4be8b91f98d065bf6cf461d9e78415f0eb7357
Instruction Fuzzy Hash: 04412B31608680BECF399B3DD88876A7F93BB56324F18983FE047D6660D675A880C711

Function 00612D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00612D1B
GetDC.USER32(00000000), ref: 00612D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00612D2E
ReleaseDC.USER32(00000000,00000000), ref: 00612D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00612D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00612D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00615A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00612DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00612DE1

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9f696234702e7dceee56c7041f1e27ffb437e3ba6552f4f369223aa517b23e99
Instruction ID: bdd20e641fc508b0894b24db4846ffe830fe5f8b1c38b075f06c029763eb7da6
Opcode Fuzzy Hash: 9f696234702e7dceee56c7041f1e27ffb437e3ba6552f4f369223aa517b23e99
Instruction Fuzzy Hash: 00317F72241214BFEB158F50DC8AFEB3BAAEF09725F089056FE089A291C6759C50C7A4

Function 005E5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 005E5637
_memcmp.LIBVCRUNTIME ref: 005E5659
_memcmp.LIBVCRUNTIME ref: 005E5671
_memcmp.LIBVCRUNTIME ref: 005E5684
_memcmp.LIBVCRUNTIME ref: 005E569E
_memcmp.LIBVCRUNTIME ref: 005E56B1
_memcmp.LIBVCRUNTIME ref: 005E56C9
_memcmp.LIBVCRUNTIME ref: 005E56E4

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9d40ec30f82f0db53b2684ebc26a24abe042a62c03dde289a645ace78fc3cb0c
Instruction ID: fb7497cf17406f08632d70095259fbd811abef6cab5d28a94a64d946d9c363f1
Opcode Fuzzy Hash: 9d40ec30f82f0db53b2684ebc26a24abe042a62c03dde289a645ace78fc3cb0c
Instruction Fuzzy Hash: 4121D761640E4A7BD61C9B228E92FFF3B5DBF6138CF480421FD469A581F760ED1081E9

Function 00604FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0060502E, 00605383
Not an Object type, xrefs: 00605007

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 512f735618b42793ebf8c8d014d412f189d574bfd8211eaec8d8d09c94ad7e77
Instruction ID: 664959d6cd927b940ed858cefa8abec2b7995a41799b5720f20b35794dc7fd1d
Opcode Fuzzy Hash: 512f735618b42793ebf8c8d014d412f189d574bfd8211eaec8d8d09c94ad7e77
Instruction Fuzzy Hash: 02D19E71A8060A9FDF18CF98C885AEFB7B6BF48344F148469E916AB281E770DD45CF50

Function 005C1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,005C17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 005C15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005C1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,005C17FB,?,005C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005C16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005C16FB

Part of subcall function 005B3820: RtlAllocateHeap.NTDLL(00000000,?,00651444,?,0059FDF5,?,?,0058A976,00000010,00651440,005813FC,?,005813C6,?,00581129), ref: 005B3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,005C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005C1777
__freea.LIBCMT ref: 005C17A2
__freea.LIBCMT ref: 005C17AE

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f1549b5ca5da1db9f649441cc1a4b5c2e73e4a67c2e4d29b04f82f8592bae8c2
Instruction ID: 487cc0da234390410194debd652d22a333561348585104de0268bcd3027ad589
Opcode Fuzzy Hash: f1549b5ca5da1db9f649441cc1a4b5c2e73e4a67c2e4d29b04f82f8592bae8c2
Instruction Fuzzy Hash: AE918071E00A169EDB208EA4C995FEE7FF5FB4A710F18465DE802E6142DB25DC408BA8

Function 00604523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00604648
VariantInit.OLEAUT32(?), ref: 00604749
VariantClear.OLEAUT32(?), ref: 00604753
VariantClear.OLEAUT32(?), ref: 006047B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 006045D8, 00604706, 006047BE
Incorrect Object type in FOR..IN loop, xrefs: 0060472C

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 4267454b059ee3bdb14aff649311071e82dd71e83e9e1bc63c5799ed55dc75f2
Instruction ID: ba640af9e28db937237654e9a1b1c4a3d43f3b16d3ad4592bf4f519c98faa2b9
Opcode Fuzzy Hash: 4267454b059ee3bdb14aff649311071e82dd71e83e9e1bc63c5799ed55dc75f2
Instruction Fuzzy Hash: E29171B1A40215ABDF34CFA4C844FEFBBBAEF46714F148559F605AB280DB709941CBA0

Function 005F1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 005F125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 005F1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005F12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005F12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005F135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005F13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005F1430

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 625db872bd1d72213170c937e7784b4dd1df2efc675d209195692f29cdf3f6c7
Instruction ID: 0d313535bf0c233c5f5cac17d087ea236434190f63f7cf8ca400ee50c5a476ea
Opcode Fuzzy Hash: 625db872bd1d72213170c937e7784b4dd1df2efc675d209195692f29cdf3f6c7
Instruction Fuzzy Hash: E891E475A0060DDFDB00DF94C889BBEBBB5FF85325F144429EA10EB291D778A941CB98

Function 0059948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ce4a47aea2f9059eb8d8ead51db68f2e19e1b06573408fbae7ebd78f108c0de8
Instruction ID: 5c68c7ee12af64bd612b42a50bde9fc299746e1b63d429a76627262e571e0740
Opcode Fuzzy Hash: ce4a47aea2f9059eb8d8ead51db68f2e19e1b06573408fbae7ebd78f108c0de8
Instruction Fuzzy Hash: 02912571940219AFCF11CFA9C888AEEBFB9FF89320F14845AE515B7251D375A941CB60

Function 00603947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0060396B
CharUpperBuffW.USER32(?,?), ref: 00603A7A
_wcslen.LIBCMT ref: 00603A8A
VariantClear.OLEAUT32(?), ref: 00603C1F

Part of subcall function 005F0CDF: VariantInit.OLEAUT32(00000000), ref: 005F0D1F
Part of subcall function 005F0CDF: VariantCopy.OLEAUT32(?,?), ref: 005F0D28
Part of subcall function 005F0CDF: VariantClear.OLEAUT32(?), ref: 005F0D34

Strings

AUTOIT.ERROR, xrefs: 00603A80, 00603A85
Incorrect Parameter format, xrefs: 006039A6, 00603BA1

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 89e713969fda07e1d93f7cf35f7bbc714cf5a1f5e70928b244258c51dea3263a
Instruction ID: 23e406550ced2f07a8bf3701c9586669b24c14a138897c03f78718e9743b396e
Opcode Fuzzy Hash: 89e713969fda07e1d93f7cf35f7bbc714cf5a1f5e70928b244258c51dea3263a
Instruction Fuzzy Hash: 769149746083069FC704EF24C48596BBBE9BF89315F14882DF8899B391DB30EE05CB92

Function 00604BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 005E000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?,?,?,005E035E), ref: 005E002B
Part of subcall function 005E000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?,?), ref: 005E0046
Part of subcall function 005E000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?,?), ref: 005E0054
Part of subcall function 005E000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?), ref: 005E0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00604C51
_wcslen.LIBCMT ref: 00604D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00604DCF
CoTaskMemFree.OLE32(?), ref: 00604DDA

Strings

NULL Pointer assignment, xrefs: 00604E23, 00604E52

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 947061b5a50429d3284fa7381110663343e6a67fabd0fdfa470ce3efd90cb8b5
Instruction ID: f7fc782109b6b244c147f039471aacf696b3427082542817b28d57fd567c1f0d
Opcode Fuzzy Hash: 947061b5a50429d3284fa7381110663343e6a67fabd0fdfa470ce3efd90cb8b5
Instruction Fuzzy Hash: D3912AB1D0021E9FDF24DFA4C895AEEBBB9BF48310F10456AE915B7291DB305A45CF60

Function 006120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00612183
GetMenuItemCount.USER32(00000000), ref: 006121B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006121DD
_wcslen.LIBCMT ref: 00612213
GetMenuItemID.USER32(?,?), ref: 0061224D
GetSubMenu.USER32(?,?), ref: 0061225B

Part of subcall function 005E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005E3A57
Part of subcall function 005E3A3D: GetCurrentThreadId.KERNEL32 ref: 005E3A5E
Part of subcall function 005E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005E25B3), ref: 005E3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006122E3

Part of subcall function 005EE97B: Sleep.KERNEL32 ref: 005EE9F3

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: b7966c66a04bbd2a9ed36c566044fb4e1770a7e6301c6f6b24179f7271a47fc8
Instruction ID: 94b5487c9938fcc8500577dd451eefe98606c5a744b280172b0fad7daf4f42da
Opcode Fuzzy Hash: b7966c66a04bbd2a9ed36c566044fb4e1770a7e6301c6f6b24179f7271a47fc8
Instruction Fuzzy Hash: 8F718675A00206AFCB14DF64C855AEEBBF6FF88310F188459E916EB351D734EE918B90

Function 00617E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01565680), ref: 00617F37
IsWindowEnabled.USER32(01565680), ref: 00617F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0061801E
SendMessageW.USER32(01565680,000000B0,?,?), ref: 00618051
IsDlgButtonChecked.USER32(?,?), ref: 00618089
GetWindowLongW.USER32(01565680,000000EC), ref: 006180AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 006180C3

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: c706713b76b4ac6ba74d755e4dea4c7a16afaf8110bd556515ce22b0d491c256
Instruction ID: d9401aeeb07fdf1ace21007853cfa8fb1261fc71cfc6e11bdb601256edecedb2
Opcode Fuzzy Hash: c706713b76b4ac6ba74d755e4dea4c7a16afaf8110bd556515ce22b0d491c256
Instruction Fuzzy Hash: 07718C74608245AFEB219F64CC94FEBBBB7EF09300F18445AE94597361CB31A986DB10

Function 005EAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 005EAEF9
GetKeyboardState.USER32(?), ref: 005EAF0E
SetKeyboardState.USER32(?), ref: 005EAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 005EAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 005EAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 005EAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 005EB020

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 995dbd38a57dd6cad0602a00d0dd8f6fe032f47875d6ae2910b6d247479d4176
Instruction ID: 8034480678ff9cab08a87f1a98fe5674cffed3b63e6cd7aa1fbdc13d4c86675f
Opcode Fuzzy Hash: 995dbd38a57dd6cad0602a00d0dd8f6fe032f47875d6ae2910b6d247479d4176
Instruction Fuzzy Hash: 3C51C2A06047D53DFB3A83368849BBB7EA96B46304F088589E1E9458C3C398BCC4D751

Function 005EACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 005EAD19
GetKeyboardState.USER32(?), ref: 005EAD2E
SetKeyboardState.USER32(?), ref: 005EAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 005EADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 005EADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 005EAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 005EAE38

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6b1fddffbed921a7c136927dd38095ee5c895adddadd52bb80dd2d46d1baac73
Instruction ID: 0a9bae7e5c3e013c020fd677771d64f49e15ce9acf9e266c9d3fcb10f2872efd
Opcode Fuzzy Hash: 6b1fddffbed921a7c136927dd38095ee5c895adddadd52bb80dd2d46d1baac73
Instruction Fuzzy Hash: 8051F5A19047D53DFB3B83368C95BBABEA97F46300F088489E1D5468C2C294FC88D762

Function 005B542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(005C3CD6,?,?,?,?,?,?,?,?,005B5BA3,?,?,005C3CD6,?,?), ref: 005B5470
__fassign.LIBCMT ref: 005B54EB
__fassign.LIBCMT ref: 005B5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,005C3CD6,00000005,00000000,00000000), ref: 005B552C
WriteFile.KERNEL32(?,005C3CD6,00000000,005B5BA3,00000000,?,?,?,?,?,?,?,?,?,005B5BA3,?), ref: 005B554B
WriteFile.KERNEL32(?,?,00000001,005B5BA3,00000000,?,?,?,?,?,?,?,?,?,005B5BA3,?), ref: 005B5584

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 310fe5589f8d7d596c5135ddae833cd239de687902609023d4ebe56c0cf1b2b9
Instruction ID: 314934ae5c5a8ec0164b52eac4f7c0bcc71f55c5d81758a379decbf9e7af596a
Opcode Fuzzy Hash: 310fe5589f8d7d596c5135ddae833cd239de687902609023d4ebe56c0cf1b2b9
Instruction Fuzzy Hash: 1851CF70A00649AFDB24CFA8D845BEEBFF9FF09301F14451AE955E7291E630AA41CB60

Function 006010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0060304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0060307A
Part of subcall function 0060304E: _wcslen.LIBCMT ref: 0060309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00601112
WSAGetLastError.WSOCK32 ref: 00601121
WSAGetLastError.WSOCK32 ref: 006011C9
closesocket.WSOCK32(00000000), ref: 006011F9

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 5c2eea30a42bdecf5ea7e7cd76b696dbafa4776d7ce622e217da9a1372df5d3e
Instruction ID: c3ea9dd9ec3d3a45dcee27fbc19678eefeec4bec942f034cc9ef29b632745820
Opcode Fuzzy Hash: 5c2eea30a42bdecf5ea7e7cd76b696dbafa4776d7ce622e217da9a1372df5d3e
Instruction Fuzzy Hash: 3B41B231640214AFDB189F24C884BEABBAAFF46328F148099FD159F3D1D770AD41CBA1

Function 005ECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005ECF22,?), ref: 005EDDFD

Part of subcall function 005EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005ECF22,?), ref: 005EDE16

lstrcmpiW.KERNEL32(?,?), ref: 005ECF45
MoveFileW.KERNEL32(?,?), ref: 005ECF7F
_wcslen.LIBCMT ref: 005ED005
_wcslen.LIBCMT ref: 005ED01B
SHFileOperationW.SHELL32(?), ref: 005ED061

Strings

\*.*, xrefs: 005ECFF3

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 89c9b12026a1b5e928a37972abd197d7b2da47cc0b951c56ebdd88ed9b66ab71
Instruction ID: d075fe5f6bf10c5d3e491a9e50a00307444dfe519be27c124e1a6a01171859c9
Opcode Fuzzy Hash: 89c9b12026a1b5e928a37972abd197d7b2da47cc0b951c56ebdd88ed9b66ab71
Instruction Fuzzy Hash: C3419471C452595FDF16EBA1C985ADEBFB9BF48380F0000E6E545EB141EA34E689CB50

Function 00612DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00612E1C
GetWindowLongW.USER32(?,000000F0), ref: 00612E4F
GetWindowLongW.USER32(?,000000F0), ref: 00612E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00612EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00612EE0
GetWindowLongW.USER32(?,000000F0), ref: 00612EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00612F0B

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e1f6d30885c9ee8af80c20fafc87156773fcdcd229965de4ee25a72ced588e49
Instruction ID: f7a950446eee939d730dfe2408f1ccf123ea5612a235550f298c1fb86a6f94d8
Opcode Fuzzy Hash: e1f6d30885c9ee8af80c20fafc87156773fcdcd229965de4ee25a72ced588e49
Instruction Fuzzy Hash: 7F31F4306442529FDB21CF58DC94FE937E2EB4A721F195165FA148F2B1CB71ACA09B41

Function 005E7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005E7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005E778F
SysAllocString.OLEAUT32(00000000), ref: 005E7792
SysAllocString.OLEAUT32(?), ref: 005E77B0
SysFreeString.OLEAUT32(?), ref: 005E77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005E77DE
SysAllocString.OLEAUT32(?), ref: 005E77EC

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f4fc7900c464265be67cd404df487fcd6fcd9f3dccd354d5cf1d4f374b738fcb
Instruction ID: ee2e045779ad33b2ad040f4c5a35343e07c084518bfa4943d069994a1a40bb27
Opcode Fuzzy Hash: f4fc7900c464265be67cd404df487fcd6fcd9f3dccd354d5cf1d4f374b738fcb
Instruction Fuzzy Hash: 90219C76608269AFDF149FA9CC88CBB7BADFB093647048426FA54DB150D6709C428760

Function 005E77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005E7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005E7868
SysAllocString.OLEAUT32(00000000), ref: 005E786B
SysAllocString.OLEAUT32 ref: 005E788C
SysFreeString.OLEAUT32 ref: 005E7895
StringFromGUID2.OLE32(?,?,00000028), ref: 005E78AF
SysAllocString.OLEAUT32(?), ref: 005E78BD

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5092dc73fcf67c67cff6b0391aac8e7dceafa5cec057e135eb2fcef03828c9bf
Instruction ID: b1e7886006c00f1042f326bc74c116badadadb9d33815a2ec90059ddfd29d516
Opcode Fuzzy Hash: 5092dc73fcf67c67cff6b0391aac8e7dceafa5cec057e135eb2fcef03828c9bf
Instruction Fuzzy Hash: EB21B03160C258AFDB149FA9CC8CDAA7BECFB1C3607148026F954CB2A0D670DC41CB64

Function 005F04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005F04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005F052E

Strings

nul, xrefs: 005F0567

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5c1174da66db0664f05dfb0d2215cd78696e8e941f880b5b988c04234620ce65
Instruction ID: b0019f55552a28f220096bf29bf11f360550d74d7fc43b3d2cf5d290187d549c
Opcode Fuzzy Hash: 5c1174da66db0664f05dfb0d2215cd78696e8e941f880b5b988c04234620ce65
Instruction Fuzzy Hash: CD218D71600319ABDF208F29DC44ABA7BE5BF44724F285A19FAA1D72E1D7B4D940CF20

Function 005F05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005F05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005F0601

Strings

nul, xrefs: 005F0639

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c17fd760c18ef1a7c8749f0794e29334a9136f918b0ab78d852cdadea3c0e491
Instruction ID: c613f9a73e685b88f8368041e616ba8e7d65f5d7ba910419d52b64b0bbc39742
Opcode Fuzzy Hash: c17fd760c18ef1a7c8749f0794e29334a9136f918b0ab78d852cdadea3c0e491
Instruction Fuzzy Hash: B421B5755003199BDB208F68CC04ABA7BE4BF85730F285E19FEA1E72D1D7B49960CB10

Function 005BD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005BD7A3: _free.LIBCMT ref: 005BD7CC

_free.LIBCMT ref: 005BD82D

Part of subcall function 005B29C8: HeapFree.KERNEL32(00000000,00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000), ref: 005B29DE
Part of subcall function 005B29C8: GetLastError.KERNEL32(00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000,00000000), ref: 005B29F0

_free.LIBCMT ref: 005BD838
_free.LIBCMT ref: 005BD843
_free.LIBCMT ref: 005BD897
_free.LIBCMT ref: 005BD8A2
_free.LIBCMT ref: 005BD8AD
_free.LIBCMT ref: 005BD8B8

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 21708a90843faba8f5ea19126ed09bea41547f114c2211c4078815b09ff9d0a0
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: E811F671940B05BADA21BFB0CC4AFCB7FACBF84700F404C25B29DA6492EA69B5458670

Function 005EDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 005EDA74
LoadStringW.USER32(00000000), ref: 005EDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 005EDA91
LoadStringW.USER32(00000000), ref: 005EDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 005EDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 005EDAB9

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 3cf1742cf2f45c1552899fb39e2a07dc033e52f318e7b71c7ce93adca9e2c5c7
Instruction ID: 030b7e27e49c61daa21e51c7bb92e50c992329139a7a92edfb9cdcbb3c59d2cf
Opcode Fuzzy Hash: 3cf1742cf2f45c1552899fb39e2a07dc033e52f318e7b71c7ce93adca9e2c5c7
Instruction Fuzzy Hash: 260186F65402087FE7109BA4DD89EEB377DE708311F4494A2B746E2041E6749E844F74

Function 005F096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0155D300,0155D300), ref: 005F097B
EnterCriticalSection.KERNEL32(0155D2E0,00000000), ref: 005F098D
TerminateThread.KERNEL32(?,000001F6), ref: 005F099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 005F09A9
CloseHandle.KERNEL32(?), ref: 005F09B8
InterlockedExchange.KERNEL32(0155D300,000001F6), ref: 005F09C8
LeaveCriticalSection.KERNEL32(0155D2E0), ref: 005F09CF

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 794b098e86dc2d266884600c1907bc130577d8057ef8e92a7903c963ffdf26c6
Instruction ID: 7017d79fda1f3a860348c9ac5b0fbfa5ba4e017e696e9fb062a2f399475d41c9
Opcode Fuzzy Hash: 794b098e86dc2d266884600c1907bc130577d8057ef8e92a7903c963ffdf26c6
Instruction Fuzzy Hash: 7DF08131482A12BBD7411F90EE8CBEA7B36FF01712F487012F201518A1C7789561CF90

Function 00601C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00601DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00601DE1
WSAGetLastError.WSOCK32 ref: 00601DF2
htons.WSOCK32(?,?,?,?,?), ref: 00601EDB
inet_ntoa.WSOCK32(?), ref: 00601E8C

Part of subcall function 005E39E8: _strlen.LIBCMT ref: 005E39F2

Part of subcall function 00603224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,005FEC0C), ref: 00603240

_strlen.LIBCMT ref: 00601F35

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 46083e60c83c6044ab5f92a5a464a67204b1bdaed5857ea56957bc0ebeb4b0f2
Instruction ID: 11196386fdfac7b80a7e90bec24c818acda5c8537a58902c46c34ae2640cb2e3
Opcode Fuzzy Hash: 46083e60c83c6044ab5f92a5a464a67204b1bdaed5857ea56957bc0ebeb4b0f2
Instruction Fuzzy Hash: 2FB1A030244342AFD718EF24C895E6A7BE6AF85318F54854CF4565F2E2DB31ED42CB91

Function 00585D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00585D30
GetWindowRect.USER32(?,?), ref: 00585D71
ScreenToClient.USER32(?,?), ref: 00585D99
GetClientRect.USER32(?,?), ref: 00585ED7
GetWindowRect.USER32(?,?), ref: 00585EF8

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 9a0fa702767438b0899af682e68f6819f909a54170bbf370f930af65bfecc585
Instruction ID: 475bfe18bbbb00a5667f8a4905a85e67bc69c53f9948d1c815aba35d0627e63e
Opcode Fuzzy Hash: 9a0fa702767438b0899af682e68f6819f909a54170bbf370f930af65bfecc585
Instruction Fuzzy Hash: D7B16A74A0064ADFDB10DFA9C840BEEBBF5FF54310F14981AE8A9E7250E734AA51DB50

Function 005B01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005B00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005B00D6
__allrem.LIBCMT ref: 005B00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005B010B
__allrem.LIBCMT ref: 005B0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005B0140

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: f4cfb48a8f83fa9c5c3ef31e7fd4651a35d814c7f93e5713bcc2f30027ceae2d
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: A181C571A00B069FE724AE68CC45BAF7BE9BF82764F24453EF551D62C1E7B0E9008754

Function 005B61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005A82D9,005A82D9,?,?,?,005B644F,00000001,00000001,8BE85006), ref: 005B6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,005B644F,00000001,00000001,8BE85006,?,?,?), ref: 005B62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005B63D8
__freea.LIBCMT ref: 005B63E5

Part of subcall function 005B3820: RtlAllocateHeap.NTDLL(00000000,?,00651444,?,0059FDF5,?,?,0058A976,00000010,00651440,005813FC,?,005813C6,?,00581129), ref: 005B3852

__freea.LIBCMT ref: 005B63EE
__freea.LIBCMT ref: 005B6413

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 6d328cc8eb4a0d70116267497f684ded03bdbbf91e8137c9c7708440080560de
Instruction ID: 876d44cb00b03b70172f3040cf197247a90358f2cd75212166bf4d9712a10a3b
Opcode Fuzzy Hash: 6d328cc8eb4a0d70116267497f684ded03bdbbf91e8137c9c7708440080560de
Instruction Fuzzy Hash: 4B519172600216ABEB258F64DC85EEF7FAAFB84750F154A29FD05D7140DB38EC44DA60

Function 0060BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 0060C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060B6AE,?,?), ref: 0060C9B5
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060C9F1
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA68
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0060BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0060BD25
RegCloseKey.ADVAPI32(00000000), ref: 0060BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0060BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0060BDF3
RegCloseKey.ADVAPI32(?), ref: 0060BDFF

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: bc1b897af43fc864a9edbae66255da3d5559eefdb6d05793af1efc19bfdaaa6a
Instruction ID: 782e32f8f7361c1d19c346f6dedec179a5ccec49bd1f7ffe5120f412252cd0b9
Opcode Fuzzy Hash: bc1b897af43fc864a9edbae66255da3d5559eefdb6d05793af1efc19bfdaaa6a
Instruction Fuzzy Hash: A0818F30108242AFD718DF24C895E6BBBE6FF84308F14995DF4559B2A2DB31ED45CB92

Function 005DF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 005DF7B9
SysAllocString.OLEAUT32(00000001), ref: 005DF860
VariantCopy.OLEAUT32(005DFA64,00000000), ref: 005DF889
VariantClear.OLEAUT32(005DFA64), ref: 005DF8AD
VariantCopy.OLEAUT32(005DFA64,00000000), ref: 005DF8B1
VariantClear.OLEAUT32(?), ref: 005DF8BB

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e0e8e669fb1daed50fdbd98836ada5cac1079e44e1a1659d24a15b065068f586
Instruction ID: b092bf448c11cc679a86ae71f4bf050d0df5be60abb01b8150944cee96b1d310
Opcode Fuzzy Hash: e0e8e669fb1daed50fdbd98836ada5cac1079e44e1a1659d24a15b065068f586
Instruction Fuzzy Hash: 3551B831940311BADF30AB69D899B297BA9FF85310B149467ED07EF391D7708C40D766

Function 005F910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00587620: _wcslen.LIBCMT ref: 00587625

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005F94E5
_wcslen.LIBCMT ref: 005F9506
_wcslen.LIBCMT ref: 005F952D
GetSaveFileNameW.COMDLG32(00000058), ref: 005F9585

Strings

X, xrefs: 005F9412

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 4508ae0025d6550267b3181880695b7851a260d2e14cf6316ecc7b0ec3e7cf05
Instruction ID: 26885c4a848ebc4632f856b9c1ad0b5dd2674c8db51b3bc103e6d42288f5c4d4
Opcode Fuzzy Hash: 4508ae0025d6550267b3181880695b7851a260d2e14cf6316ecc7b0ec3e7cf05
Instruction Fuzzy Hash: 60E1A0315087028FD724EF24C485B6ABBE4BFC5314F14896DF9899B2A2EB35DD05CB92

Function 0059920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

BeginPaint.USER32(?,?,?), ref: 00599241
GetWindowRect.USER32(?,?), ref: 005992A5
ScreenToClient.USER32(?,?), ref: 005992C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005992D3
EndPaint.USER32(?,?,?,?,?), ref: 00599321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005D71EA

Part of subcall function 00599339: BeginPath.GDI32(00000000), ref: 00599357

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: fa731d7af67211ba5a954d81abe4260a1cb0ce26fc322be8fca8f7d72eb0dddf
Instruction ID: cefd9f91a68c44efb140fe5410154c75cb747200cdc63d3964b7196097f921fb
Opcode Fuzzy Hash: fa731d7af67211ba5a954d81abe4260a1cb0ce26fc322be8fca8f7d72eb0dddf
Instruction Fuzzy Hash: BE419D70104301AFDB21DF68CC85FAA7FA9FB8A321F14062EF9958B2A1D7319845DB61

Function 005F07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 005F080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 005F0847
EnterCriticalSection.KERNEL32(?), ref: 005F0863
LeaveCriticalSection.KERNEL32(?), ref: 005F08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005F08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 005F0921

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 3a483a312895a2213395fd25afd698b3692c8450acc786dd042aa1813b3bd317
Instruction ID: c438df804b9656d15fd162bc33a4f9b10667e9d63c37fd7361879dc13f247b7d
Opcode Fuzzy Hash: 3a483a312895a2213395fd25afd698b3692c8450acc786dd042aa1813b3bd317
Instruction Fuzzy Hash: 9A416A71A00209EBDF15AF54DC85AAA7BB9FF44310F1880A5ED00DB297DB74DE64DBA0

Function 006181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,005DF3AB,00000000,?,?,00000000,?,005D682C,00000004,00000000,00000000), ref: 0061824C
EnableWindow.USER32(?,00000000), ref: 00618272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 006182D1
ShowWindow.USER32(?,00000004), ref: 006182E5
EnableWindow.USER32(?,00000001), ref: 0061830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0061832F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 58a99b7619243bd5c8e7c4d994cfc524f7d7490398438534d5265d34c1d2a3fa
Instruction ID: 2729b4835d8e4cd98055135dc509b74d276e9ac43d58f4b69318773f677823b6
Opcode Fuzzy Hash: 58a99b7619243bd5c8e7c4d994cfc524f7d7490398438534d5265d34c1d2a3fa
Instruction Fuzzy Hash: 53419234601644AFDB22CF64C899BE87BF2BB0A715F1C5169E5184F2A2CB71A981CB90

Function 005E4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 005E4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 005E4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 005E4CEA
_wcslen.LIBCMT ref: 005E4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 005E4D10
_wcsstr.LIBVCRUNTIME ref: 005E4D1A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 5fd755c219132f6b7a5afa460efdd6b5206ad54150f51cf5b8ec6b0f8ba8540d
Instruction ID: 21165d63d564f150b9439b94ca2df877f3df1c34a67d1e992a699ca7e8005cd9
Opcode Fuzzy Hash: 5fd755c219132f6b7a5afa460efdd6b5206ad54150f51cf5b8ec6b0f8ba8540d
Instruction Fuzzy Hash: 8D21F9316042417BEB195B3A9D49E7F7F9DEF85760F14802AF849CA192DA61DC409BA0

Function 005F581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00583AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00583A97,?,?,00582E7F,?,?,?,00000000), ref: 00583AC2

_wcslen.LIBCMT ref: 005F587B
CoInitialize.OLE32(00000000), ref: 005F5995
CoCreateInstance.OLE32(0061FCF8,00000000,00000001,0061FB68,?), ref: 005F59AE
CoUninitialize.OLE32 ref: 005F59CC

Strings

.lnk, xrefs: 005F5876, 005F58C1, 005F5985

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: a747670718a3101e897d22a4fe95adc96091057e54e1afce5c97fe79779480fc
Instruction ID: e1960a119ddf3e974749b960caa91469e4c68c2f65cf6ee9952ac0035aa72aef
Opcode Fuzzy Hash: a747670718a3101e897d22a4fe95adc96091057e54e1afce5c97fe79779480fc
Instruction Fuzzy Hash: 8DD176716087069FC714EF24C48492ABBE5FF89710F14885DFA8A9B361EB35EC45CB92

Function 005E175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005E0FCA
Part of subcall function 005E0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005E0FD6
Part of subcall function 005E0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005E0FE5
Part of subcall function 005E0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005E0FEC
Part of subcall function 005E0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005E1002

GetLengthSid.ADVAPI32(?,00000000,005E1335), ref: 005E17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005E17BA
HeapAlloc.KERNEL32(00000000), ref: 005E17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005E17DA
GetProcessHeap.KERNEL32(00000000,00000000,005E1335), ref: 005E17EE
HeapFree.KERNEL32(00000000), ref: 005E17F5

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b868c15609e126bcddb069fc4e28a1759bbac013f9a2510216c651d4caa2ebc9
Instruction ID: 95366090e07b507685a1555db490a3e5f13675fd458156c9bb8fb0349c9fa6f9
Opcode Fuzzy Hash: b868c15609e126bcddb069fc4e28a1759bbac013f9a2510216c651d4caa2ebc9
Instruction Fuzzy Hash: FE11BE31580605FFDB189FA5CC49BEE7BBAFB45765F148019F48197210C736A940DB64

Function 005E14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005E14FF
OpenProcessToken.ADVAPI32(00000000), ref: 005E1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005E1515
CloseHandle.KERNEL32(00000004), ref: 005E1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005E154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 005E1563

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6cd21c987a596613cf82ab3e8cf6170bddf1b26a1631d51c6b7d57a302552bc6
Instruction ID: aa91672b2f8441bee1458edc118d598a30988134b77fe7fb747f41c65c84348f
Opcode Fuzzy Hash: 6cd21c987a596613cf82ab3e8cf6170bddf1b26a1631d51c6b7d57a302552bc6
Instruction Fuzzy Hash: 67115972500289ABDF118F98DD49FDE7BAAFF48714F088016FA45A21A0C3728E60DB64

Function 005A3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005A3379,005A2FE5), ref: 005A3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005A339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005A33B7
SetLastError.KERNEL32(00000000,?,005A3379,005A2FE5), ref: 005A3409

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: be72b10262a85909b0cd2444e6e5e57b776de4ff2d508ccb35d38d0e3fc97d2d
Instruction ID: 705121828291b76ba1ef54e06b76884afaf6970357cec95e655a0f06d3a2ede5
Opcode Fuzzy Hash: be72b10262a85909b0cd2444e6e5e57b776de4ff2d508ccb35d38d0e3fc97d2d
Instruction Fuzzy Hash: F601243260E312BEEF6427B47C995AF2E95FB4777D730022AF420812F0EF124D059544

Function 005B2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005B5686,005C3CD6,?,00000000,?,005B5B6A,?,?,?,?,?,005AE6D1,?,00648A48), ref: 005B2D78
_free.LIBCMT ref: 005B2DAB
_free.LIBCMT ref: 005B2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,005AE6D1,?,00648A48,00000010,00584F4A,?,?,00000000,005C3CD6), ref: 005B2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,005AE6D1,?,00648A48,00000010,00584F4A,?,?,00000000,005C3CD6), ref: 005B2DEC
_abort.LIBCMT ref: 005B2DF2

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: acb796609b748fb9bfa9b6b3cecfe08a375b81dae0c98c81985b03304bba61aa
Instruction ID: 0d69f56ff0ec4b4c3d6e980fcbe05af9be55f6e0f070da86411fe603f387b5df
Opcode Fuzzy Hash: acb796609b748fb9bfa9b6b3cecfe08a375b81dae0c98c81985b03304bba61aa
Instruction Fuzzy Hash: 21F0A4365456026BC7223738AC0EADE2D5ABFC67B1F254919F82892196EE24B8025170

Function 00618A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00599639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00599693
Part of subcall function 00599639: SelectObject.GDI32(?,00000000), ref: 005996A2
Part of subcall function 00599639: BeginPath.GDI32(?), ref: 005996B9
Part of subcall function 00599639: SelectObject.GDI32(?,00000000), ref: 005996E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00618A4E
LineTo.GDI32(?,00000003,00000000), ref: 00618A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00618A70
LineTo.GDI32(?,00000000,00000003), ref: 00618A80
EndPath.GDI32(?), ref: 00618A90
StrokePath.GDI32(?), ref: 00618AA0

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2df1c7f03fcb1ab430b4f08813e171c2a819dd29bfd8a41d79e327bf0052c1ad
Instruction ID: faaf4e3bf579199abc9b1d4651d5fe7ed74e065ee536eac2cdb07d6af2f509ae
Opcode Fuzzy Hash: 2df1c7f03fcb1ab430b4f08813e171c2a819dd29bfd8a41d79e327bf0052c1ad
Instruction Fuzzy Hash: 6811F77604010DFFDB129F95DC88EEA7F6EEB08365F04C012BA199A1A1C7729D55DBA0

Function 005E51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005E5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 005E5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005E5230
ReleaseDC.USER32(00000000,00000000), ref: 005E5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 005E524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 005E5261

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0d55de6bbc2333cf46c6b0c91f66ab7473e72cc6438c167f6f3da31e28d1207a
Instruction ID: 4c8c2ef166c692817bfcd447150a0cbadb9c37a8fd6e7c313653233bc2e990a5
Opcode Fuzzy Hash: 0d55de6bbc2333cf46c6b0c91f66ab7473e72cc6438c167f6f3da31e28d1207a
Instruction Fuzzy Hash: D601A775E40705BBEB109BA69C49E9EBF79FF48361F049066FA04A7280D670DC00CFA0

Function 00581BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00581BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00581BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00581C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00581C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00581C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00581C22

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: f1edd80e3ad51506fe3a8b2a5692aba4832c19d83e576f85069044e8bfb9c506
Instruction ID: 34886289471188d47ef0f7657e5334dbd231efe9fbde9e165c9f3e795de1c486
Opcode Fuzzy Hash: f1edd80e3ad51506fe3a8b2a5692aba4832c19d83e576f85069044e8bfb9c506
Instruction Fuzzy Hash: 560167B0942B5ABDE3008F6A8C85B56FFA8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 005EEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005EEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 005EEB46
GetWindowThreadProcessId.USER32(?,?), ref: 005EEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005EEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005EEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005EEB75

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 957922c9cfd9eea3308d50a2b013753e83a2bd51d1b7a45e37c6b0882c985292
Instruction ID: 7b898d8579f17c1bbd9ff12cbf66c9ca11af58d5e15758f3a88054259518acb3
Opcode Fuzzy Hash: 957922c9cfd9eea3308d50a2b013753e83a2bd51d1b7a45e37c6b0882c985292
Instruction Fuzzy Hash: 93F09A72280568BBE7215B629C0EEEF3E7DEFCAB21F04915AF601D1090E7A01A01C6B4

Function 005D7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 005D7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 005D7469
GetWindowDC.USER32(?), ref: 005D7475
GetPixel.GDI32(00000000,?,?), ref: 005D7484
ReleaseDC.USER32(?,00000000), ref: 005D7496
GetSysColor.USER32(00000005), ref: 005D74B0

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 6102c6fc76077552a72bb9ed1455bc50eb43e1f886334e273813b795c3edf8b7
Instruction ID: e6ba147ebfcbeb6dce0522952a0ea47a25829c643373b2ae45bafccccde1a933
Opcode Fuzzy Hash: 6102c6fc76077552a72bb9ed1455bc50eb43e1f886334e273813b795c3edf8b7
Instruction Fuzzy Hash: D2018B31440219EFDB619F68DC08BEE7FB6FB08322F589066F915A21A0CB311E51EB50

Function 005E1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 005E187F
UnloadUserProfile.USERENV(?,?), ref: 005E188B
CloseHandle.KERNEL32(?), ref: 005E1894
CloseHandle.KERNEL32(?), ref: 005E189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005E18A5
HeapFree.KERNEL32(00000000), ref: 005E18AC

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 86df54c2818f76a06d12b8bdc8e5ac166e1398c53121ddd7f0b44788b3f6d6e4
Instruction ID: c6e870b05475c535a55d10fd0c5517748bf0531005a150b2a2c0d1f3c78fb270
Opcode Fuzzy Hash: 86df54c2818f76a06d12b8bdc8e5ac166e1398c53121ddd7f0b44788b3f6d6e4
Instruction Fuzzy Hash: 83E0C236484A51BBDB015BA1ED0D98ABB2AFB49B32B14D222F225810B0CB729420EB50

Function 0058BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0058BEB3

Strings

D%e, xrefs: 0058BE9A
D%e, xrefs: 0058BDED, 0058BD91, 0058BD1B
D%eD%e, xrefs: 0058BCA5
D%e, xrefs: 0058BCA2

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%e$D%e$D%e$D%eD%e
API String ID: 1385522511-4060382725
Opcode ID: 158f5abb3c332663e7c301b06d5bb8c30268bbd93655ee3c44423b77a0ea53c8
Instruction ID: 7fee58eb461eb351cd2c99f200e7631d145df823db510f54b35e6fb388b103ba
Opcode Fuzzy Hash: 158f5abb3c332663e7c301b06d5bb8c30268bbd93655ee3c44423b77a0ea53c8
Instruction Fuzzy Hash: 61915B75A0020ADFDB18DF58C0916AABBF6FF59310F24856AD981AB351E731ED81CBD0

Function 00607B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 005A0242: EnterCriticalSection.KERNEL32(0065070C,00651884,?,?,0059198B,00652518,?,?,?,005812F9,00000000), ref: 005A024D
Part of subcall function 005A0242: LeaveCriticalSection.KERNEL32(0065070C,?,0059198B,00652518,?,?,?,005812F9,00000000), ref: 005A028A

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 005A00A3: __onexit.LIBCMT ref: 005A00A9

__Init_thread_footer.LIBCMT ref: 00607BFB

Part of subcall function 005A01F8: EnterCriticalSection.KERNEL32(0065070C,?,?,00598747,00652514), ref: 005A0202
Part of subcall function 005A01F8: LeaveCriticalSection.KERNEL32(0065070C,?,00598747,00652514), ref: 005A0235

Strings

Variable must be of type 'Object'., xrefs: 00607C3A
+T], xrefs: 00607E2E
5, xrefs: 00607C78
G, xrefs: 00607C7F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T]$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1530314938
Opcode ID: 442c41ac6dfaf43876c5c98397d66a526f2e19028a624cc5c80ea592b691e061
Instruction ID: ddc66470a52c5c82d309a076ddafa590a000b745d571042c03c379fe6d51c348
Opcode Fuzzy Hash: 442c41ac6dfaf43876c5c98397d66a526f2e19028a624cc5c80ea592b691e061
Instruction Fuzzy Hash: 6D919B70A44209AFDB08EF54D8959EEBBB2FF85300F148059F806AB3D2DB31AE41CB50

Function 005EC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00587620: _wcslen.LIBCMT ref: 00587625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005EC6EE
_wcslen.LIBCMT ref: 005EC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005EC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 005EC7CA

Strings

0, xrefs: 005EC6AF

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 2a2fa2ba2ab192dd2c50eeddbcef42166acefcf22577681a5eaf36263b397b11
Instruction ID: 1aacab822cbe38b94e28fa20918c0c7b4a76aa210cabd3f9ce716ec6d5651b68
Opcode Fuzzy Hash: 2a2fa2ba2ab192dd2c50eeddbcef42166acefcf22577681a5eaf36263b397b11
Instruction Fuzzy Hash: 4151BF716043819BD7189F2AC889B6B7FE8FF8A314F040A2DF9D5E6190DB60DD068B52

Function 0060AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0060AEA3

Part of subcall function 00587620: _wcslen.LIBCMT ref: 00587625

GetProcessId.KERNEL32(00000000), ref: 0060AF38
CloseHandle.KERNEL32(00000000), ref: 0060AF67

Strings

<, xrefs: 0060AE6B
@, xrefs: 0060AE72

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 176dd871562c0f79783f8198d3d6d9e99ed65390775bf62547a1e59b071e759b
Instruction ID: 23cf328ce23afb4be2fdd5f5d1a7a8203e9ee6afa6907735e68d2cbb7b98f197
Opcode Fuzzy Hash: 176dd871562c0f79783f8198d3d6d9e99ed65390775bf62547a1e59b071e759b
Instruction Fuzzy Hash: 22718C71A0021ADFCB14EF94C488A9EBBF1FF48314F148499E856AB3A2D774ED41CB91

Function 005E719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 005E7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 005E723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 005E724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005E72CF

Strings

DllGetClassObject, xrefs: 005E7242

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 92567a89a32eb5fae6a9418a248969a01f9d422dae5c5f59c3830d9ce62ddaa0
Instruction ID: 5b781c833236d7c21c79b8fa370ac93b58cac6378135799cbb074d1f6f656e28
Opcode Fuzzy Hash: 92567a89a32eb5fae6a9418a248969a01f9d422dae5c5f59c3830d9ce62ddaa0
Instruction Fuzzy Hash: 624194B5604249EFDB19CF55C884A9A7FAAFF48310F1484A9BE059F20AD7B0DD44DBA0

Function 00613D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00613E35
IsMenu.USER32(?), ref: 00613E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00613E92
DrawMenuBar.USER32 ref: 00613EA5

Strings

0, xrefs: 00613D89

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 785d34ab2b4f2889f1735bb2ab031165fb571dde8a53635afe3c7270510c264a
Instruction ID: fdf2b2f2e8aa6b4eb18b9416e330568b20bc38f682acda8808dcd8a9ac3b2e81
Opcode Fuzzy Hash: 785d34ab2b4f2889f1735bb2ab031165fb571dde8a53635afe3c7270510c264a
Instruction Fuzzy Hash: 50414D75A00319EFDB10DF50D884ADABBB6FF45350F08411AE90697360D730AE95CF50

Function 005E1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 005E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005E3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005E1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 005E1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 005E1EA9

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

Strings

ComboBox, xrefs: 005E1DF0
ListBox, xrefs: 005E1E25

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: aa39a0dd269e93935fa1aec1e750d2d6d6ce6ff7362decbd16238289b58431ea
Instruction ID: 1d4bad761f676ed62306ced051be9819284cfabe583a7b3923494b8b7347b772
Opcode Fuzzy Hash: aa39a0dd269e93935fa1aec1e750d2d6d6ce6ff7362decbd16238289b58431ea
Instruction Fuzzy Hash: 77210471A00145AFDB18AB61CC4ACFFBFADFF81360B144119F865A72E1DB344D058720

Function 00612F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00612F8D
LoadLibraryW.KERNEL32(?), ref: 00612F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00612FA9
DestroyWindow.USER32(?), ref: 00612FB1

Strings

SysAnimate32, xrefs: 00612F68

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6d11ff92b1f6c8ac7f1617a52d54bcccae219c23491f59e5cfd596dd5f707484
Instruction ID: c263c011f579e796da3e6cd113a62f2004ce2194d40f175c722c6abbdb0e02f5
Opcode Fuzzy Hash: 6d11ff92b1f6c8ac7f1617a52d54bcccae219c23491f59e5cfd596dd5f707484
Instruction Fuzzy Hash: A721CD7124020AAFEB108F64DCA4FFB37BEEB59764F188219F950D6290D771DCA29760

Function 006141EB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0061424F
SendMessageW.USER32(?,00000406,00000000,_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{), ref: 00614264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00614271

Strings

msctls_trackbar32, xrefs: 00614226
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00614256

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend
String ID: _______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{$msctls_trackbar32
API String ID: 3850602802-3430821868
Opcode ID: 54b46c93097417e5f1e14350a73dd810758ba37dfb2c3b21855331c3b08d3740
Instruction ID: 29212bbc2623ab74d1e6167d06ef07559fde1e8d0f6779815a0da22b9224da42
Opcode Fuzzy Hash: 54b46c93097417e5f1e14350a73dd810758ba37dfb2c3b21855331c3b08d3740
Instruction Fuzzy Hash: 0211E031240208BEEF209F28CC06FEB3BAEEF95B64F150124FA55E71A0D671DC919B20

Function 005A4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,005A4D1E,005B28E9,?,005A4CBE,005B28E9,006488B8,0000000C,005A4E15,005B28E9,00000002), ref: 005A4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005A4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,005A4D1E,005B28E9,?,005A4CBE,005B28E9,006488B8,0000000C,005A4E15,005B28E9,00000002,00000000), ref: 005A4DC3

Strings

mscoree.dll, xrefs: 005A4D86
CorExitProcess, xrefs: 005A4D98

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5e9e74f5fe4ef90c465d5dd88eb5152697be625f0fbab53f774a2edce04da884
Instruction ID: cf19c7132a811aca7d3fd628bca3a9fa74efa4e1ab78755e13a1f75867a87ac3
Opcode Fuzzy Hash: 5e9e74f5fe4ef90c465d5dd88eb5152697be625f0fbab53f774a2edce04da884
Instruction Fuzzy Hash: 54F04F35A80218BBDB119F94DC49BEDBFBAEF85761F0440A5F805A2260CB719940CE90

Function 00584E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00584EDD,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00584EAE
FreeLibrary.KERNEL32(00000000,?,?,00584EDD,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00584EA8
kernel32.dll, xrefs: 00584E94

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ee672699c31be385faf558ac3f63507948022cd74e70613464d5799182acbb38
Instruction ID: b8bb6400ad7f412d6904903f59a6f6e97b420cbf3dd4e1ea0679f0def384a95e
Opcode Fuzzy Hash: ee672699c31be385faf558ac3f63507948022cd74e70613464d5799182acbb38
Instruction Fuzzy Hash: E3E0CD35A815336BD3312B256C19B9F6A5DBFC1F7270D4116FC00F2210DB60CD0545A1

Function 00584E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,005C3CDE,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00584E74
FreeLibrary.KERNEL32(00000000,?,?,005C3CDE,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00584E6E
kernel32.dll, xrefs: 00584E5B

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 2245f9beb25c84ca1d35476cff511405a5b9783a50840d6ac4f0ea65edb5f402
Instruction ID: 83c3aba89d0199e693a5d768377e8e37363b977fa21327ea5a15177f16aa3802
Opcode Fuzzy Hash: 2245f9beb25c84ca1d35476cff511405a5b9783a50840d6ac4f0ea65edb5f402
Instruction Fuzzy Hash: 4CD01235582632A7D7222B256C1ADCF6E1EBF85B7130A4516BD05F2114CF60CD018AD1

Function 005F2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005F2C05
DeleteFileW.KERNEL32(?), ref: 005F2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005F2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005F2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005F2CC0

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 691620bbc2501d380726500dd56e5e8bdf0015c7a67da3e24f5745efa9e056f9
Instruction ID: 03316afbfc9562149c57a1d120d77e5a9db2d110f14fd757a59f69ac109d6b5d
Opcode Fuzzy Hash: 691620bbc2501d380726500dd56e5e8bdf0015c7a67da3e24f5745efa9e056f9
Instruction Fuzzy Hash: 23B13FB190011EABDF11EBA4CC89EEE7F7DFF49350F1044A6FA09E6141EA359A448F61

Function 0060A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0060A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0060A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0060A468
CloseHandle.KERNEL32(?), ref: 0060A63D

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: aa9169ab4d65a71f77908f43689710bef49097bb68022df8a35e9e207c0e3a0a
Instruction ID: 9a5fb9cff017a5ce74b080cbd12f6b0245ebdf5b7ebeb559a270c2d29b4f86c9
Opcode Fuzzy Hash: aa9169ab4d65a71f77908f43689710bef49097bb68022df8a35e9e207c0e3a0a
Instruction Fuzzy Hash: 2BA1A1716443019FE724DF24D886B2ABBE6BF84714F14881DF95A9B3D2D770EC418B91

Function 005BBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00623700), ref: 005BBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0065121C,000000FF,00000000,0000003F,00000000,?,?), ref: 005BBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00651270,000000FF,?,0000003F,00000000,?), ref: 005BBC36
_free.LIBCMT ref: 005BBB7F

Part of subcall function 005B29C8: HeapFree.KERNEL32(00000000,00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000), ref: 005B29DE
Part of subcall function 005B29C8: GetLastError.KERNEL32(00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000,00000000), ref: 005B29F0

_free.LIBCMT ref: 005BBD4B

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 181acf421a12be80ee1abdd7995c0dea6e28c958ea457d47803c50f26552d4e7
Instruction ID: 95f48dab7cbfa68103e10b9c78daaa78f152a5ec33f3a787c3dc4bdf5de720ae
Opcode Fuzzy Hash: 181acf421a12be80ee1abdd7995c0dea6e28c958ea457d47803c50f26552d4e7
Instruction Fuzzy Hash: E151C87190020AEFEB10DF65DC45AEEBFB9FB81320F10466AE454D7191EBF0AE408B50

Function 005EE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005ECF22,?), ref: 005EDDFD

Part of subcall function 005EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005ECF22,?), ref: 005EDE16

Part of subcall function 005EE199: GetFileAttributesW.KERNEL32(?,005ECF95), ref: 005EE19A

lstrcmpiW.KERNEL32(?,?), ref: 005EE473
MoveFileW.KERNEL32(?,?), ref: 005EE4AC
_wcslen.LIBCMT ref: 005EE5EB
_wcslen.LIBCMT ref: 005EE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 005EE650

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2c9ed8db5fba199d1255d50ac459d6555031cd310def6053076a83ee3b7957d3
Instruction ID: b880a034188fc6ed9d1bf27fb06ff32a123a8c0c06bd63aac9194963ad396bb1
Opcode Fuzzy Hash: 2c9ed8db5fba199d1255d50ac459d6555031cd310def6053076a83ee3b7957d3
Instruction Fuzzy Hash: 285182B24083855BC728EB90D8869DF7BEDBFC5340F00491EF5C9D3191EE75A5888B66

Function 0060B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 0060C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060B6AE,?,?), ref: 0060C9B5
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060C9F1
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA68
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0060BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0060BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0060BB63
RegCloseKey.ADVAPI32(?,?), ref: 0060BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0060BBB3

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 5212f6a034cd808bb5a95084720ee41cb7f1276eb19ffa9535b958ec37135440
Instruction ID: 40eee6cb6aa34eb821e5f752772f41be410856bafe8cb8d9e1221c130b42b220
Opcode Fuzzy Hash: 5212f6a034cd808bb5a95084720ee41cb7f1276eb19ffa9535b958ec37135440
Instruction Fuzzy Hash: B961B031208241AFD318DF14C494E6BBBE6FF84308F14995DF4998B2A2DB31ED45CB92

Function 005E8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005E8BCD
VariantClear.OLEAUT32 ref: 005E8C3E
VariantClear.OLEAUT32 ref: 005E8C9D
VariantClear.OLEAUT32(?), ref: 005E8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 005E8D3B

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 878a4bfc2372ddeb8ad68dfc9a4ccaa1683569443359b66fdfab98c0109c1631
Instruction ID: ccf1de3e433d3159a4f960e118805802b3e2429193f26846c6992333430b46f0
Opcode Fuzzy Hash: 878a4bfc2372ddeb8ad68dfc9a4ccaa1683569443359b66fdfab98c0109c1631
Instruction Fuzzy Hash: 2A5198B5A00219EFCB14CF29C884AAABBF9FF89310B158559F949DB350E730E911CF90

Function 005F8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005F8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 005F8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 005F8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 005F8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 005F8C5F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: b5adf964c45e680ae5a4efac4e68c143fa2cdd47c7d0bd78dfe9b0f81815c5b6
Instruction ID: 4aff19aa5af4311e4aa321f4f779996de44d243c1858d6e1aaece624409f2a9f
Opcode Fuzzy Hash: b5adf964c45e680ae5a4efac4e68c143fa2cdd47c7d0bd78dfe9b0f81815c5b6
Instruction Fuzzy Hash: 39515B35A00219DFCB04EF64C885AADBBF5FF48314F088459E949AB362DB35ED41CBA0

Function 00608EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00608F40
GetProcAddress.KERNEL32(00000000,?), ref: 00608FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00608FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00609032
FreeLibrary.KERNEL32(00000000), ref: 00609052

Part of subcall function 0059F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,005F1043,?,7529E610), ref: 0059F6E6
Part of subcall function 0059F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,005DFA64,00000000,00000000,?,?,005F1043,?,7529E610,?,005DFA64), ref: 0059F70D

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 33ddee1fa223536dea63c34a05a3f8e86a9a27f887347bd198da60b66a301c92
Instruction ID: 779a7b89483dcb246a40b79569c243491dbf44cf6e9df1996b48bc27afaaf301
Opcode Fuzzy Hash: 33ddee1fa223536dea63c34a05a3f8e86a9a27f887347bd198da60b66a301c92
Instruction Fuzzy Hash: 99512D35644206DFC715EF64C4858EEBBB2FF89354F088099E846AB362DB31ED85CB90

Function 00616B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00616C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00616C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00616C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,005FAB79,00000000,00000000), ref: 00616C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00616CC7

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: df5c538a2ff2604ce3d8bcd4288c5b3d16f939753fef83a85af28027a9e65884
Instruction ID: f8b8bf17ec8b6d862695817faab74c3b9a9eacc7be3548962ffb04414b670af0
Opcode Fuzzy Hash: df5c538a2ff2604ce3d8bcd4288c5b3d16f939753fef83a85af28027a9e65884
Instruction Fuzzy Hash: 41419239604104AFD724CF28CC58FE97BA6EB09360F194269F995A73E0D371AD91CA90

Function 005B2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005B20C3
_free.LIBCMT ref: 005B20E3

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: aecb030732eb3dbf0e472d58c2442e9bf7ad94d4c4af84da679b121b9ceffa3e
Instruction ID: b0ecafe299ee754b6606ff8c5aec606277a02de88ffd7e975e46177e9c59329c
Opcode Fuzzy Hash: aecb030732eb3dbf0e472d58c2442e9bf7ad94d4c4af84da679b121b9ceffa3e
Instruction Fuzzy Hash: CB41E232A00204AFCB20DF78C885A9DBBA5FF89714F158568E515EB352DB31BD01CBA0

Function 0059912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00599141
ScreenToClient.USER32(00000000,?), ref: 0059915E
GetAsyncKeyState.USER32(00000001), ref: 00599183
GetAsyncKeyState.USER32(00000002), ref: 0059919D

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 3d94615346dd995dac9e37964e80af46cb041d909e442e2d349ecc0c75efb438
Instruction ID: d1a8edfb4a76e2235211a8ef4bbe6e662fe83a8a09436d6a641c7cf24435c557
Opcode Fuzzy Hash: 3d94615346dd995dac9e37964e80af46cb041d909e442e2d349ecc0c75efb438
Instruction Fuzzy Hash: 1941603190851BFBDF159FA8C848BEEBB75FB49324F24831AE425A32D0D7305990DB91

Function 005F3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005F38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 005F3922
TranslateMessage.USER32(?), ref: 005F394B
DispatchMessageW.USER32(?), ref: 005F3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005F3966

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 8e37c2a912c91e595a4fc847a48b8f708d0f3e9a241401019fbb08f0f88a94bf
Instruction ID: 0a170c02279bfccc086fbcfc073d4b5237e748635ba5243d55637acddb56e02d
Opcode Fuzzy Hash: 8e37c2a912c91e595a4fc847a48b8f708d0f3e9a241401019fbb08f0f88a94bf
Instruction Fuzzy Hash: 1731E57094434A9EFB35CF34D958BB63FA9BB06341F04056EE662C61A0E3FC9A84CB11

Function 005FCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,005FC21E,00000000), ref: 005FCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 005FCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,005FC21E,00000000), ref: 005FCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,005FC21E,00000000), ref: 005FCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,005FC21E,00000000), ref: 005FCFF2

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: a3e1802e14c2a3ebe0cf74fbf2f93aea0ff0103e6e1eef75fe069fef0a97b1b3
Instruction ID: 759885c7ab38cc53cbf9a9dab64de91dadcb7727d7761e5d6ca5b7f3fee91974
Opcode Fuzzy Hash: a3e1802e14c2a3ebe0cf74fbf2f93aea0ff0103e6e1eef75fe069fef0a97b1b3
Instruction Fuzzy Hash: CD313A7150420EAFDB20DFA5C984ABABFFAFB14354B14843EE616D2140DB34AE409B60

Function 005E1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005E1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005E19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005E19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005E19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005E19E2

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 1ef9f83cc883683d049f0bb99f8b406f40f520bd8d89c1c1c2d4855b2132419e
Instruction ID: 0f9c6e7c21f67eaa03912a9e5d1375265ecc56ccecf372b94a84109e6a43c85e
Opcode Fuzzy Hash: 1ef9f83cc883683d049f0bb99f8b406f40f520bd8d89c1c1c2d4855b2132419e
Instruction Fuzzy Hash: 4931B171900259EFCB04CFA9CD99ADE3BB6FB44325F108225F961E72D1C7709944DB94

Function 00615706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00615745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0061579D
_wcslen.LIBCMT ref: 006157AF
_wcslen.LIBCMT ref: 006157BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00615816

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 5a3b9cd4c544c64358b0e63c96112e77266ef32ea00aa57e14ce22761d33fd72
Instruction ID: cf703279cab56d354910e127d95ae05dc601ae6673f70d705d20e7ade134c349
Opcode Fuzzy Hash: 5a3b9cd4c544c64358b0e63c96112e77266ef32ea00aa57e14ce22761d33fd72
Instruction Fuzzy Hash: CC218971904618DADB209F64CC85AEDB7B9FF85724F148616E926DA2C0D77089C5CF50

Function 00600930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00600951
GetForegroundWindow.USER32 ref: 00600968
GetDC.USER32(00000000), ref: 006009A4
GetPixel.GDI32(00000000,?,00000003), ref: 006009B0
ReleaseDC.USER32(00000000,00000003), ref: 006009E8

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 696788bea1efe3f1cd6616f83c4ce3aaf40f9ff388249c8ecec54bd7d9561cec
Instruction ID: 15128b4846177aa3062f53d66fd884ed617b5b8313e488ef0a0aa5b2e663e6d4
Opcode Fuzzy Hash: 696788bea1efe3f1cd6616f83c4ce3aaf40f9ff388249c8ecec54bd7d9561cec
Instruction Fuzzy Hash: 72218475640204AFE704EF65D949AAEBBE9FF84710F048069E94AA7352DB70AC04CB90

Function 005BCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 005BCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005BCDE9

Part of subcall function 005B3820: RtlAllocateHeap.NTDLL(00000000,?,00651444,?,0059FDF5,?,?,0058A976,00000010,00651440,005813FC,?,005813C6,?,00581129), ref: 005B3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 005BCE0F
_free.LIBCMT ref: 005BCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005BCE31

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f0c0d8c1705287d05e56379c1a73403746a3b3bb75fac4a5f426f09213715b9f
Instruction ID: c770dbd277f8a34be6c03b9e4e47ccd1d214a3e4e788323ec5327598a0a302e8
Opcode Fuzzy Hash: f0c0d8c1705287d05e56379c1a73403746a3b3bb75fac4a5f426f09213715b9f
Instruction Fuzzy Hash: 4F01FC72601215BF632216766C4CCFF7D6DFEC6BA1315412AFD05DB100DA60DD0181B4

Function 00599639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00599693
SelectObject.GDI32(?,00000000), ref: 005996A2
BeginPath.GDI32(?), ref: 005996B9
SelectObject.GDI32(?,00000000), ref: 005996E2

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a2205c76f39e39c3c4fc1cdac5925a06d05e6722287de01438ea2e17c0f2dad2
Instruction ID: 1c11e2f52a6d1c6538f3b993062514be7afe75c7e2421981459210a3fe8c8f8f
Opcode Fuzzy Hash: a2205c76f39e39c3c4fc1cdac5925a06d05e6722287de01438ea2e17c0f2dad2
Instruction Fuzzy Hash: F2214C70802309EBDF11DF68EC197ED3FAABB56366F14521BF411AA1A0D3709891CB94

Function 005E5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 005E5726
_memcmp.LIBVCRUNTIME ref: 005E5744
_memcmp.LIBVCRUNTIME ref: 005E5757
_memcmp.LIBVCRUNTIME ref: 005E576F
_memcmp.LIBVCRUNTIME ref: 005E5787

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e6b2652b91c96d41e2dcfd13b36af4df3cfea483c54b0bb43df7186a782e0ba6
Instruction ID: 10b90a2e465aad3ce16ff75b171c86309ae637e01915ed8998674dacefa90373
Opcode Fuzzy Hash: e6b2652b91c96d41e2dcfd13b36af4df3cfea483c54b0bb43df7186a782e0ba6
Instruction Fuzzy Hash: 9E01F5A2241A0AFBD60C96129D82FFF7B5DFB613DCF040421FE059A241F760ED6082E4

Function 005B2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,005AF2DE,005B3863,00651444,?,0059FDF5,?,?,0058A976,00000010,00651440,005813FC,?,005813C6), ref: 005B2DFD
_free.LIBCMT ref: 005B2E32
_free.LIBCMT ref: 005B2E59
SetLastError.KERNEL32(00000000,00581129), ref: 005B2E66
SetLastError.KERNEL32(00000000,00581129), ref: 005B2E6F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d59d104bb640d44ab7a2a75f4fe7283ef56726b68cd7648e6644a710e0dadeb2
Instruction ID: 889afd400a38d4e1f99a97b83e3cc80592b3810f63b88a4fe0a3a8e1aae81b69
Opcode Fuzzy Hash: d59d104bb640d44ab7a2a75f4fe7283ef56726b68cd7648e6644a710e0dadeb2
Instruction Fuzzy Hash: 7601F43624560167C713673A6C49DFF2E6EBBD53B1F258829F825A2292EE24EC014030

Function 005E000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?,?,?,005E035E), ref: 005E002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?,?), ref: 005E0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?,?), ref: 005E0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?), ref: 005E0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?,?), ref: 005E0070

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b8286937635dd4db6a976d256e21057f6649b91bb44225114dd2db102ad82291
Instruction ID: 544d51d06445fffaf6805d263e3795f61ed43ae0b39cedd391300e8fb6bc1547
Opcode Fuzzy Hash: b8286937635dd4db6a976d256e21057f6649b91bb44225114dd2db102ad82291
Instruction Fuzzy Hash: BA01DF72600204BFDB109F6ADC48BAE7EAEFB44361F18A025F841D2250D7B0DD809BA0

Function 005EE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 005EE997
QueryPerformanceFrequency.KERNEL32(?), ref: 005EE9A5
Sleep.KERNEL32(00000000), ref: 005EE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 005EE9B7
Sleep.KERNEL32 ref: 005EE9F3

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 5f12249a3a2fc5858ffadb8c459f2b03563bf160b1d4280bf77d593d06fe4469
Instruction ID: 799b183c4b657d1ca6dd4f48fa778cc7a6d1c3b5de06c6e7c59e22f2f7bf3724
Opcode Fuzzy Hash: 5f12249a3a2fc5858ffadb8c459f2b03563bf160b1d4280bf77d593d06fe4469
Instruction Fuzzy Hash: 20015731C51629EBCF04ABE6D84AAEDBBB9BB09310F044546E542F2242CB309650CBA1

Function 005E10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005E1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005E114D

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 59d93266b52be2e62e3670c7b5a684ae1d63d42b3bda1162f684905ee7434682
Instruction ID: 55e08b6337bc73f726b849a1dce57cf9fdbbb250799c1e44589f03de3a5cc44a
Opcode Fuzzy Hash: 59d93266b52be2e62e3670c7b5a684ae1d63d42b3bda1162f684905ee7434682
Instruction Fuzzy Hash: 70016D79140705BFDB154F65DC49AAA3F6EFF85360B144415FA81C3350DA71DC00DA60

Function 005E0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005E0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005E0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005E0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005E0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005E1002

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f98a2b859f1ac1c632de08414ad5a9aab4e638e8ef2a9da4cd7b32594eb4da53
Instruction ID: d37a8042bebad6bd441b0207a209bb12cb19e469455aed7dc6c553e774958964
Opcode Fuzzy Hash: f98a2b859f1ac1c632de08414ad5a9aab4e638e8ef2a9da4cd7b32594eb4da53
Instruction Fuzzy Hash: 57F0AF39180741BBD7214FA5DC4DF9A3F6EFF89762F158415F945C6290DA31DC408A60

Function 005E1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005E102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005E1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005E1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005E104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005E1062

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d0614579ccc09c4e1edbb032c82ae9fba24517c8c7de96d0dc47ecb5048eaf5a
Instruction ID: 87b8395fc11c6b9b9c0d0001b0abe486b898adb3e2ae6043cd887206537eb336
Opcode Fuzzy Hash: d0614579ccc09c4e1edbb032c82ae9fba24517c8c7de96d0dc47ecb5048eaf5a
Instruction Fuzzy Hash: 74F0CD39280741FBDB215FA6EC4DF9A3FAEFF89761F154426FA45C7250CA31D8808A60

Function 005F030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,005F017D,?,005F32FC,?,00000001,005C2592,?), ref: 005F0324
CloseHandle.KERNEL32(?,?,?,?,005F017D,?,005F32FC,?,00000001,005C2592,?), ref: 005F0331
CloseHandle.KERNEL32(?,?,?,?,005F017D,?,005F32FC,?,00000001,005C2592,?), ref: 005F033E
CloseHandle.KERNEL32(?,?,?,?,005F017D,?,005F32FC,?,00000001,005C2592,?), ref: 005F034B
CloseHandle.KERNEL32(?,?,?,?,005F017D,?,005F32FC,?,00000001,005C2592,?), ref: 005F0358
CloseHandle.KERNEL32(?,?,?,?,005F017D,?,005F32FC,?,00000001,005C2592,?), ref: 005F0365

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 295604580c55f7d0ac86803ab912812443e5efa5512bdb14184813a85ce9fd3e
Instruction ID: df59b523a181f7b97fa4e2ff6f76ea3d8e6cf535080a567dfeeaee9080114130
Opcode Fuzzy Hash: 295604580c55f7d0ac86803ab912812443e5efa5512bdb14184813a85ce9fd3e
Instruction Fuzzy Hash: F101A272800B199FC7309F66D880826FBF5BF503153199E3FD296529B2C375A954CF80

Function 005BD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005BD752

Part of subcall function 005B29C8: HeapFree.KERNEL32(00000000,00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000), ref: 005B29DE
Part of subcall function 005B29C8: GetLastError.KERNEL32(00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000,00000000), ref: 005B29F0

_free.LIBCMT ref: 005BD764
_free.LIBCMT ref: 005BD776
_free.LIBCMT ref: 005BD788
_free.LIBCMT ref: 005BD79A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 13b32ca4313dd2806e4c26b5c03891813b0b911b0a3704061422b44a3e07f32f
Instruction ID: c4999b4d3f36843462e954dd218a7f5673f09ce711e2f1ea85f100ccaebf7d7b
Opcode Fuzzy Hash: 13b32ca4313dd2806e4c26b5c03891813b0b911b0a3704061422b44a3e07f32f
Instruction Fuzzy Hash: 0AF0C936545205BBC665EB64F9899D67FEAFB45720B941C05F04CD7601DA24F8808674

Function 005E5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 005E5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 005E5C6F
MessageBeep.USER32(00000000), ref: 005E5C87
KillTimer.USER32(?,0000040A), ref: 005E5CA3
EndDialog.USER32(?,00000001), ref: 005E5CBD

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5c6a24e8e3508e260380f9053cd7ee8b561873f96d37b703ec3a00dbe34564a8
Instruction ID: ce82a9eef9d9bd2412ae91ae86879e8c4cb07c1f97718dec0f6d45bfc3d37759
Opcode Fuzzy Hash: 5c6a24e8e3508e260380f9053cd7ee8b561873f96d37b703ec3a00dbe34564a8
Instruction Fuzzy Hash: 4601F930540B04ABEB245B11DD5EFEA7BB9BF04B09F04155AB5C7A10E1EBF0AD84CB90

Function 005B22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005B22BE

Part of subcall function 005B29C8: HeapFree.KERNEL32(00000000,00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000), ref: 005B29DE
Part of subcall function 005B29C8: GetLastError.KERNEL32(00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000,00000000), ref: 005B29F0

_free.LIBCMT ref: 005B22D0
_free.LIBCMT ref: 005B22E3
_free.LIBCMT ref: 005B22F4
_free.LIBCMT ref: 005B2305

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a6e59b7db16926035ebca4bd03e137450fe7be1ed8d0d1b1e025d398855e464
Instruction ID: 765f60382ef953bca31528d5c0bb9329ae15bbf024dc02dd6676222593c0a6ea
Opcode Fuzzy Hash: 1a6e59b7db16926035ebca4bd03e137450fe7be1ed8d0d1b1e025d398855e464
Instruction Fuzzy Hash: A2F030744013129BD752EF64BC059983F67B719762F012A06F81CD7371C73066919BB5

Function 005995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005995D4
StrokeAndFillPath.GDI32(?,?,005D71F7,00000000,?,?,?), ref: 005995F0
SelectObject.GDI32(?,00000000), ref: 00599603
DeleteObject.GDI32 ref: 00599616
StrokePath.GDI32(?), ref: 00599631

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e219ee5f79f4b528f6b2f83e8225e74b52f9b5b669984f42be9fe72b07fec6df
Instruction ID: 489dccb64123c6afdc812f913f6f57491f7f3cf36b1fe0936a64beb8ce5fb517
Opcode Fuzzy Hash: e219ee5f79f4b528f6b2f83e8225e74b52f9b5b669984f42be9fe72b07fec6df
Instruction Fuzzy Hash: BDF01930045308EBDB129F69ED187A93F62BB06333F08A219F465990F0C7318991DFA4

Function 005B0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 005B10F9
__freea.LIBCMT ref: 005B1117

Part of subcall function 005B1537: _free.LIBCMT ref: 005B154F

Strings

am/pm, xrefs: 005B117A
a/p, xrefs: 005B11DE

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: bcf4559dd89d158c652b58fc7a6b20e170b64e5e5e24cccf86a97162b560cbb0
Instruction ID: 37c8fc4b40fe4188aed05b12142b62a6a883c59f53a4c5cd1f8bb8f57e152f83
Opcode Fuzzy Hash: bcf4559dd89d158c652b58fc7a6b20e170b64e5e5e24cccf86a97162b560cbb0
Instruction Fuzzy Hash: 50D1F535900A06CBDBA49F68C869BFEBFB1FF45300FA40959E5029B650E375BD80CB59

Function 006061D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 005A0242: EnterCriticalSection.KERNEL32(0065070C,00651884,?,?,0059198B,00652518,?,?,?,005812F9,00000000), ref: 005A024D
Part of subcall function 005A0242: LeaveCriticalSection.KERNEL32(0065070C,?,0059198B,00652518,?,?,?,005812F9,00000000), ref: 005A028A

Part of subcall function 005A00A3: __onexit.LIBCMT ref: 005A00A9

__Init_thread_footer.LIBCMT ref: 00606238

Part of subcall function 005A01F8: EnterCriticalSection.KERNEL32(0065070C,?,?,00598747,00652514), ref: 005A0202
Part of subcall function 005A01F8: LeaveCriticalSection.KERNEL32(0065070C,?,00598747,00652514), ref: 005A0235

Part of subcall function 005F359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005F35E4
Part of subcall function 005F359C: LoadStringW.USER32(00652390,?,00000FFF,?), ref: 005F360A

Strings

x#e, xrefs: 0060636F
x#e, xrefs: 00606353
x#e, xrefs: 0060633A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#e$x#e$x#e
API String ID: 1072379062-426434576
Opcode ID: 81d54890b4b1cdf5b54838d4ab0c2744310d51f7eb7623a51f17d981e977b727
Instruction ID: 314903cdf56788e6c3422317b0e4a21fefddf9b0b2cc02b766bbc5b6106fc1d8
Opcode Fuzzy Hash: 81d54890b4b1cdf5b54838d4ab0c2744310d51f7eb7623a51f17d981e977b727
Instruction Fuzzy Hash: B2C18E71A40106AFDB18DF58C895EBEBBBAFF49300F148069F905AB291DB70ED55CB90

Function 005B5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOX, xrefs: 005B5BA8, 005B5C6C

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: JOX
API String ID: 0-2417842952
Opcode ID: 39b2d5d75964c783a7ba7eb486c411a2ce626535755f38a47118e31ce350cf69
Instruction ID: d6d11c897eca9850f2c44474656a23a482d67d99fda689edf392c8c1d6f7fb4f
Opcode Fuzzy Hash: 39b2d5d75964c783a7ba7eb486c411a2ce626535755f38a47118e31ce350cf69
Instruction Fuzzy Hash: FA519075D0060A9FDB29AFA4C849FEEBFB9FF45310F140459F405A7292E771AE018B61

Function 005B8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 005B8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 005B8B7A
__dosmaperr.LIBCMT ref: 005B8B81

Strings

.Z, xrefs: 005B8A63

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .Z
API String ID: 2434981716-572057124
Opcode ID: 93be402df1fb2c51bb022c3c1e27016671aa605bf9ab7ea5e6b2d90e82c5d472
Instruction ID: 5c14c94a044e1c9edec29e97460b569d58eeaf23cfca8792a7bf1da284f4b41a
Opcode Fuzzy Hash: 93be402df1fb2c51bb022c3c1e27016671aa605bf9ab7ea5e6b2d90e82c5d472
Instruction Fuzzy Hash: 31416B70604145AFDB249F24DC91AFD7FAAFB85314F28A599E84587242DE31EC02D750

Function 005E2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005EB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005E21D0,?,?,00000034,00000800,?,00000034), ref: 005EB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 005E2760

Part of subcall function 005EB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005E21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 005EB3F8

Part of subcall function 005EB32A: GetWindowThreadProcessId.USER32(?,?), ref: 005EB355
Part of subcall function 005EB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,005E2194,00000034,?,?,00001004,00000000,00000000), ref: 005EB365
Part of subcall function 005EB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,005E2194,00000034,?,?,00001004,00000000,00000000), ref: 005EB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005E27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005E281A

Strings

@, xrefs: 005E2832

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: a96e8d7ef954b34a0776a2bdc1c07f95d71b7ff4b2b7a447f73065c797803813
Instruction ID: c68494e4d9bc6e54f7e1b7eb1379702a274da687c97c5fd876ff12f9c3cee139
Opcode Fuzzy Hash: a96e8d7ef954b34a0776a2bdc1c07f95d71b7ff4b2b7a447f73065c797803813
Instruction Fuzzy Hash: 07414E72900219AFDB14DFA5CD46AEEBBB8FF49300F104059FA95B7181DB706E45CBA1

Function 005B172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 005B1769
_free.LIBCMT ref: 005B1834
_free.LIBCMT ref: 005B183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 005B1760, 005B1767, 005B1796, 005B17CE

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: d1f0b54e93e1a528362f87a377e6bb6153e93e9f0e96d8e36d2d837bfd71e350
Instruction ID: 3087a3f1d405bda47c17a4cf8b06b9fd80e8e0f9483a2446267653565bdabb24
Opcode Fuzzy Hash: d1f0b54e93e1a528362f87a377e6bb6153e93e9f0e96d8e36d2d837bfd71e350
Instruction Fuzzy Hash: 1A31AE71A00609ABDB61DF999C85DEEBFFDFB85310F504166F804DB211DA70AE80CBA4

Function 005EC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005EC306
DeleteMenu.USER32(?,00000007,00000000), ref: 005EC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00651990,015656F8), ref: 005EC395

Strings

0, xrefs: 005EC2DF

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 995c9453c02c33026440996aab638056b518bfc5921d57d1d6d24e001eaf0d3f
Instruction ID: 136d7a53cf1b80d918891fe73cf089572584a3cdaa6f5e6092a1471f801afbe1
Opcode Fuzzy Hash: 995c9453c02c33026440996aab638056b518bfc5921d57d1d6d24e001eaf0d3f
Instruction Fuzzy Hash: DB4181312043829FD728DF26D845F5ABFE4BB89320F148A5EF9A5972D1D730E905CB62

Function 00614416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0061CC08,00000000,?,?,?,?), ref: 006144AA
GetWindowLongW.USER32 ref: 006144C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006144D7

Strings

SysTreeView32, xrefs: 0061447C

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 4104da12d028ff3002f8889672e28e79c907f642dc299afdce5a26b3425316b5
Instruction ID: 34c5601596c2da8b12c8330cf5f5dc132e73338fc8de96e9c467a77f13a671fa
Opcode Fuzzy Hash: 4104da12d028ff3002f8889672e28e79c907f642dc299afdce5a26b3425316b5
Instruction Fuzzy Hash: B8317E71210605AFDB209E38DC45BEA7BAAEB48334F284715F975D32D0DB70AC919750

Function 005E6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 005E6EED
VariantCopyInd.OLEAUT32(?,?), ref: 005E6F08
VariantClear.OLEAUT32(?), ref: 005E6F12

Strings

*j^, xrefs: 005E6E8B, 005E6E90, 005E6EF8

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j^
API String ID: 2173805711-3646612986
Opcode ID: c101e4549d0db77fb922999c5db8b4b2d992c35e66ed9792da0a1d28ff8bb3cd
Instruction ID: eeba85318ef57b711e4d9edef917438bcd2b7d47f2c1ef906e73679ba01322dc
Opcode Fuzzy Hash: c101e4549d0db77fb922999c5db8b4b2d992c35e66ed9792da0a1d28ff8bb3cd
Instruction Fuzzy Hash: 5131E471604286DFDB08BF65E8548BD3FB6FFA5380B100899F8625B2A1DB309951DBE0

Function 0060304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0060335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00603077,?,?), ref: 00603378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0060307A
_wcslen.LIBCMT ref: 0060309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00603106

Strings

255.255.255.255, xrefs: 00603095, 0060309A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 10c17623e7e4f7bc02ce7ee8185214da7a72460c235da532563deec0976fd246
Instruction ID: d15939bed93c34397f6317546dc680c5bfcde1f11262f2478e4c33aef2c180ca
Opcode Fuzzy Hash: 10c17623e7e4f7bc02ce7ee8185214da7a72460c235da532563deec0976fd246
Instruction Fuzzy Hash: 6531F5352002119FC718CF28C585EAB7BEAEF55319F248099E8168B3D2D732DE41C760

Function 00613EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00613F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00613F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00613F78

Strings

SysMonthCal32, xrefs: 00613F0B

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 3ca1a174e2f483d78073ef9562e3fb1943845d381c2c77a529c841d47c52a602
Instruction ID: 27761c8d1de80b9d3aa2e73ae8e61353a0677926ca1f6a59416b01a5952e4b54
Opcode Fuzzy Hash: 3ca1a174e2f483d78073ef9562e3fb1943845d381c2c77a529c841d47c52a602
Instruction Fuzzy Hash: 4121BF32600229BFDF218F50CC46FEA3B76EB48724F150214FA157B2D0D6B1A991CB90

Function 00614653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00614705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00614713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0061471A

Strings

msctls_updown32, xrefs: 00614684

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3c038e1ba1e1f961d851a0d52d08f4d8b92c38966c79153359548abe1fcb008c
Instruction ID: 8a57a9c3cba967d190b7eb2a2c3d1f5bbbc5309f40f0ce8b1dfc38c63f7ecdf7
Opcode Fuzzy Hash: 3c038e1ba1e1f961d851a0d52d08f4d8b92c38966c79153359548abe1fcb008c
Instruction Fuzzy Hash: 1D215EB5600209AFDB10DF64DC95DEB37AEEB8A7A4B080059FA009B391CB70EC51CA60

Function 005E95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005E961D

Strings

#notrayicon, xrefs: 005E95B7
#OnAutoItStartRegister, xrefs: 005E95F3
#requireadmin, xrefs: 005E95D9

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 3607e1b64dffc95bcf9ce77e62f3f5bde89c7668a6c552b55f0e924f274572f4
Instruction ID: 40cd049797eee570b28d106490005003b3d1b0b7a7f59e0329b22be26d3996bd
Opcode Fuzzy Hash: 3607e1b64dffc95bcf9ce77e62f3f5bde89c7668a6c552b55f0e924f274572f4
Instruction Fuzzy Hash: 19213872204692A6C735AB269C06FBB7BACBFD5300F144827F9C997041EB919D81C3D5

Function 006137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00613840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00613850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00613876

Strings

Listbox, xrefs: 0061380F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 85b573490bf56663013bb8b831bc828608d7cd48393cdb5eddfd27a545fb805f
Instruction ID: 8c86e11f794f8fba024b812406c2685f1510d36fbbe4f7194231b3390c01ec2c
Opcode Fuzzy Hash: 85b573490bf56663013bb8b831bc828608d7cd48393cdb5eddfd27a545fb805f
Instruction Fuzzy Hash: 3921AF72610228BBEF218F64CC45EEB376BEF89760F148124F9019B290C6719C9287A0

Function 005F49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005F4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 005F4A5C
SetErrorMode.KERNEL32(00000000,?,?,0061CC08), ref: 005F4AD0

Strings

%lu, xrefs: 005F4A6F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: e9110343f81823d7bb376571634a3884dc1a32fe2fe74a0655555126be61508d
Instruction ID: 4cf54581ed94552cadfbee640ee6a3cd6d0c8db3d1d6266a7b0662dc7e734988
Opcode Fuzzy Hash: e9110343f81823d7bb376571634a3884dc1a32fe2fe74a0655555126be61508d
Instruction Fuzzy Hash: 38317F70A40109AFDB10EF54C885EAE7BF9FF48304F188099E905EB252D775ED45CB61

Function 005E2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

Part of subcall function 005E2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 005E2DC5
Part of subcall function 005E2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 005E2DD6
Part of subcall function 005E2DA7: GetCurrentThreadId.KERNEL32 ref: 005E2DDD
Part of subcall function 005E2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 005E2DE4

GetFocus.USER32 ref: 005E2F78

Part of subcall function 005E2DEE: GetParent.USER32(00000000), ref: 005E2DF9

GetClassNameW.USER32(?,?,00000100), ref: 005E2FC3
EnumChildWindows.USER32(?,005E303B), ref: 005E2FEB

Strings

%s%d, xrefs: 005E2FFF

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 2688ece5cba0769619ee2eeee1436503f860d9829352f3fd3d9c83b0bbd6f124
Instruction ID: ba59a6e9f5834578a0233e0c7bea314d00025499e9ec9592ae492f3f90e43047
Opcode Fuzzy Hash: 2688ece5cba0769619ee2eeee1436503f860d9829352f3fd3d9c83b0bbd6f124
Instruction Fuzzy Hash: 2C11B7756002466BCF187F718C8DEED3B6ABFD4314F049075FE499B152DE3059459B60

Function 00615882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006158C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006158EE
DrawMenuBar.USER32(?), ref: 006158FD

Strings

0, xrefs: 0061588F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 61fe2cfab18445e0c365eeaa75916bfbcb63c4c8a29a24056adc83cdd2904d7b
Instruction ID: f64261224476aae8726d771ab6f4acaa40b6a5cbd52af9c1bcfe349feb65840e
Opcode Fuzzy Hash: 61fe2cfab18445e0c365eeaa75916bfbcb63c4c8a29a24056adc83cdd2904d7b
Instruction Fuzzy Hash: C8018431500258EFDB519F11DC44BEEBBBAFF85360F18849AE849D6251DB308AD4DF21

Function 005DD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 005DD3BF
FreeLibrary.KERNEL32 ref: 005DD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 005DD3B9
X64, xrefs: 005DD2A8

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 1e7f61ed0fc89091786e16d3c166403aa9265f8b6fbf16ae1b7467d474df883a
Instruction ID: e6a1109d5331c5a736adcc8edb5bc62609d5ddb42c08b8e63e01d99a1789827e
Opcode Fuzzy Hash: 1e7f61ed0fc89091786e16d3c166403aa9265f8b6fbf16ae1b7467d474df883a
Instruction Fuzzy Hash: 83F055258C2621EBC7714A188C28EAD3F32BF01701BAD9817E802E5304D720CC8482B2

Function 005E007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b64deac0194f6197ea719cb482e14e717161823f34459efd9576b167028b00f2
Instruction ID: 15620ed257ce41d668924a4740713ef4027e4a4029efa946ecd9e91fa9474518
Opcode Fuzzy Hash: b64deac0194f6197ea719cb482e14e717161823f34459efd9576b167028b00f2
Instruction Fuzzy Hash: 9FC18D75A00246EFCB18CFA5C894EAEBBB5FF48314F209598E545EB291C771DD81CB90

Function 0060342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00603459
CoUninitialize.OLE32 ref: 00603463
VariantInit.OLEAUT32(?), ref: 0060346E
VariantClear.OLEAUT32(?), ref: 0060371B

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 92dc468198815cf62b76ffc306a684dc03185225b04e2a72e7b537ff4cac08b6
Instruction ID: 7335da8b68ea3933f409422cea0910ed23ffdbafab7147d47be04a8a625b8d6e
Opcode Fuzzy Hash: 92dc468198815cf62b76ffc306a684dc03185225b04e2a72e7b537ff4cac08b6
Instruction Fuzzy Hash: 71A16D752043119FC704EF28C489A6ABBE9FF8C715F148859F989AB3A2DB31ED01CB51

Function 005E0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0061FC08,?), ref: 005E05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0061FC08,?), ref: 005E0608
CLSIDFromProgID.OLE32(?,?,00000000,0061CC40,000000FF,?,00000000,00000800,00000000,?,0061FC08,?), ref: 005E062D
_memcmp.LIBVCRUNTIME ref: 005E064E

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: ee8c2d63b34ade15343acf86e46b931da9a2778521ec0aa8b0ab07bef8e66ab1
Instruction ID: 8b3768ba8599fc3515bd63aa929e9cb08425ba6c1a9755ec814fe3d6ba4e018b
Opcode Fuzzy Hash: ee8c2d63b34ade15343acf86e46b931da9a2778521ec0aa8b0ab07bef8e66ab1
Instruction Fuzzy Hash: 38813C71A00109EFCB04DF94C984EEEBBB9FF89315F204559E546AB290DB71AE46CF60

Function 0060A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0060A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0060A6BA

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Process32NextW.KERNEL32(00000000,?), ref: 0060A79C
CloseHandle.KERNEL32(00000000), ref: 0060A7AB

Part of subcall function 0059CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,005C3303,?), ref: 0059CE8A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d6c9ed0f30544217adbe91164b9bb3a0d8c0fb1c176013e27736b002737306a2
Instruction ID: 8c0b3bfa15406804a5fb84f1593fe1924ff4c6e053659d1901529f20e85bfe7e
Opcode Fuzzy Hash: d6c9ed0f30544217adbe91164b9bb3a0d8c0fb1c176013e27736b002737306a2
Instruction Fuzzy Hash: 8C516E71548301AFD714EF24C88AA6BBBE9FFC9754F00891DF985A7291EB30D904CB92

Function 005C1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005C14C0

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6d45d531a773723221f0c281dd39afd5182e48342ba7c429a4208281f2f6177e
Instruction ID: e1306178289038d84b880ff01a53b90e70648f026776a19bee9abbf05c57a545
Opcode Fuzzy Hash: 6d45d531a773723221f0c281dd39afd5182e48342ba7c429a4208281f2f6177e
Instruction Fuzzy Hash: 5B412735900902AEDF296AF88C89FAE3EA5FF83370F244629F419D6293F63448415775

Function 00616278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006162E2
ScreenToClient.USER32(?,?), ref: 00616315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00616382

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 664c8a50f28365d42ff403788347b72001b8f27606cf719c5c8575d13b243dd8
Instruction ID: 006f47a2f9a5aaf18b66bf4e2fab7c2f5cff4be84413cefa900a15807c8074e8
Opcode Fuzzy Hash: 664c8a50f28365d42ff403788347b72001b8f27606cf719c5c8575d13b243dd8
Instruction Fuzzy Hash: CC51FA78A00209EFDB10DF64D881AEE7BB6EF55360F149159F9259B2A0D770AD81CB90

Function 00601AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00601AFD
WSAGetLastError.WSOCK32 ref: 00601B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00601B8A
WSAGetLastError.WSOCK32 ref: 00601B94

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 864c0e0ec45298c187b12967e7b4e39af71b269c02e7f7ee69a3093a5b11fb7c
Instruction ID: a460442eacc9e39d223a4de82b5717bbe0966eeb000483625bc563c7486e4b81
Opcode Fuzzy Hash: 864c0e0ec45298c187b12967e7b4e39af71b269c02e7f7ee69a3093a5b11fb7c
Instruction Fuzzy Hash: 8B41C734640201AFEB24AF24C88AF6A7BE5AF85718F54C448FA1A9F7D2D771DD41CB90

Function 005BB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2202cf70d63fc7e92302dbb4ea97ee48eaa16320579c6b4e4dddcab1af17edf
Instruction ID: a2b88a7429f0376ba92ebcb67e43934a3e434c35b65ce7f573918eb700bc9397
Opcode Fuzzy Hash: c2202cf70d63fc7e92302dbb4ea97ee48eaa16320579c6b4e4dddcab1af17edf
Instruction Fuzzy Hash: 2241F875A00705AFE7249F78CC45BAA7FAAFBC5710F10452EF145DB282D7F1A9018790

Function 005F56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 005F5783
GetLastError.KERNEL32(?,00000000), ref: 005F57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005F57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005F57FA

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6f0e10a0d48f33a221c1f4395fb74c9739188c8cdeef58ca5fbd2ba87d9ac06f
Instruction ID: f9d2f6b2cd85786ea5b985abf2601d155b540104157ad9fe46250f7bef2bd562
Opcode Fuzzy Hash: 6f0e10a0d48f33a221c1f4395fb74c9739188c8cdeef58ca5fbd2ba87d9ac06f
Instruction Fuzzy Hash: 2B410739600615DFCB11EF15C448A5EBFE2BF89720B188488ED5AAB362DB34FD40CB91

Function 005BD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,005A6D71,00000000,00000000,005A82D9,?,005A82D9,?,00000001,005A6D71,?,00000001,005A82D9,005A82D9), ref: 005BD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005BD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 005BD9AB
__freea.LIBCMT ref: 005BD9B4

Part of subcall function 005B3820: RtlAllocateHeap.NTDLL(00000000,?,00651444,?,0059FDF5,?,?,0058A976,00000010,00651440,005813FC,?,005813C6,?,00581129), ref: 005B3852

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0a4f2eab0eb77fe70b3fcbfab96cddcb6c8313b67c93cdfbb9f452b3870ee3cc
Instruction ID: 949fcb46113447cc067eaee2d2c5e0ca0cd1c6121e137e0020054ea850dda301
Opcode Fuzzy Hash: 0a4f2eab0eb77fe70b3fcbfab96cddcb6c8313b67c93cdfbb9f452b3870ee3cc
Instruction Fuzzy Hash: 2C319A72A0020AABDB249F64DC45EEE7FB5FB81750F094169FC0496290EB35ED50CBA0

Function 006152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00615352
GetWindowLongW.USER32(?,000000F0), ref: 00615375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00615382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006153A8

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f1334a510dc0e90495f12c9d7ce7e618b79f198bc39dbfc1554d0aad83c2661b
Instruction ID: e106b9c78bcab8152b5a5108f7d359438bfbca9fd7ecf74356d8b2aad9447905
Opcode Fuzzy Hash: f1334a510dc0e90495f12c9d7ce7e618b79f198bc39dbfc1554d0aad83c2661b
Instruction Fuzzy Hash: 8831C634A55A08EFEF349F14CC15BE8B767AB85390F5C5102FA22972E1E7B49DC0A781

Function 005EAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 005EABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 005EAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 005EAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 005EACC6

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b73ae6c7ad8746a221e8d11696f77fe4729373394ada594c058c833af57cd280
Instruction ID: c31a574c5f9fc961be775b501637899ac96fda14e7d8d62d6fb3427336d3a089
Opcode Fuzzy Hash: b73ae6c7ad8746a221e8d11696f77fe4729373394ada594c058c833af57cd280
Instruction Fuzzy Hash: 8B311A30940398AFFF398B7688047FE7F657B85310F28461AF4C9521D0C374AD858752

Function 00617674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0061769A
GetWindowRect.USER32(?,?), ref: 00617710
PtInRect.USER32(?,?,00618B89), ref: 00617720
MessageBeep.USER32(00000000), ref: 0061778C

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1e2fca010f93fffcebb647e8ba04a2ef069dee225d1f788b6ddbb87f7a52afe9
Instruction ID: 3f33346f7197df754f9d30258b45f5a37b74cd7c335005c2adf6fdf3e051c81c
Opcode Fuzzy Hash: 1e2fca010f93fffcebb647e8ba04a2ef069dee225d1f788b6ddbb87f7a52afe9
Instruction Fuzzy Hash: 33415874A092149FCB11CF58D894EE9BBF7BB49315F1D81A9E8149B3A1C731A982CB90

Function 006116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006116EB

Part of subcall function 005E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005E3A57
Part of subcall function 005E3A3D: GetCurrentThreadId.KERNEL32 ref: 005E3A5E
Part of subcall function 005E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005E25B3), ref: 005E3A65

GetCaretPos.USER32(?), ref: 006116FF
ClientToScreen.USER32(00000000,?), ref: 0061174C
GetForegroundWindow.USER32 ref: 00611752

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ed2f0e67687cac51046eaa71fc4e3fc9f09039f0628711008c12b77547ccde0b
Instruction ID: bd6d52c1f00c00e5f228701749d47bfa5fcb981c10e1ca944ce30dcdb1ce228d
Opcode Fuzzy Hash: ed2f0e67687cac51046eaa71fc4e3fc9f09039f0628711008c12b77547ccde0b
Instruction Fuzzy Hash: BB315D71E00149AFDB04EFA9C885CEEBBF9FF88304B5480AAE515E7351D6319E45CBA0

Function 00618FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

GetCursorPos.USER32(?), ref: 00619001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,005D7711,?,?,?,?,?), ref: 00619016
GetCursorPos.USER32(?), ref: 0061905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,005D7711,?,?,?), ref: 00619094

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4461053b5383b3694e2c2f42a56e6c1286afb8af89096c07c72f3b9b8f557fc2
Instruction ID: 188dd7eede6572ec7a0c400de58a1f507123e850eb1027d6e10e59d66f634e30
Opcode Fuzzy Hash: 4461053b5383b3694e2c2f42a56e6c1286afb8af89096c07c72f3b9b8f557fc2
Instruction Fuzzy Hash: 2E217435600114EFDB15CF54CC68EEA7BBBEB4A361F184059F5054B261C7319D90EB60

Function 005ED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0061CB68), ref: 005ED2FB
GetLastError.KERNEL32 ref: 005ED30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 005ED319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0061CB68), ref: 005ED376

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b5ced766602435b6a9099dcc773de59947a16b10456fc9b0abc306e72f58a5c4
Instruction ID: 44a10eeabecbdad8835f2ce6a46ae080bdef6fe34c35886b23ee89506bc08f87
Opcode Fuzzy Hash: b5ced766602435b6a9099dcc773de59947a16b10456fc9b0abc306e72f58a5c4
Instruction Fuzzy Hash: CF217E745082429FC314EF25C8854AEBBF4BE99324F144E1AF899D72A1D7309A45CBA3

Function 005E1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005E102A
Part of subcall function 005E1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005E1036
Part of subcall function 005E1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005E1045
Part of subcall function 005E1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005E104C
Part of subcall function 005E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005E1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005E15BE
_memcmp.LIBVCRUNTIME ref: 005E15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E1617
HeapFree.KERNEL32(00000000), ref: 005E161E

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 62a7181844c2a10e4e5177df317ddf3a27b7d92b74d140d34ad0153aa9d695a4
Instruction ID: 151d434939ce63e2c97aad6f69b3430b49282f18ac0b3e66e285f5169c2ff288
Opcode Fuzzy Hash: 62a7181844c2a10e4e5177df317ddf3a27b7d92b74d140d34ad0153aa9d695a4
Instruction Fuzzy Hash: A121B031E40609EFDF04DFA5C949BEEBBB9FF44354F088459E485AB241D730AA04CB94

Function 00612782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0061280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00612824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00612832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00612840

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 36f34f674864d5360c97f180ba00a30cb99ca36b5c959864a644399bc90855a8
Instruction ID: 1cb7d1095b753ea64553c6888ff4f4bcf7738032170d6a2b26a26941357c4f90
Opcode Fuzzy Hash: 36f34f674864d5360c97f180ba00a30cb99ca36b5c959864a644399bc90855a8
Instruction Fuzzy Hash: E521A131204512AFD7149B24C855FEA7B9BAF85328F188159F826CB6E2C771FC92C7D0

Function 005E78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 005E8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,005E790A,?,000000FF,?,005E8754,00000000,?,0000001C,?,?), ref: 005E8D8C
Part of subcall function 005E8D7D: lstrcpyW.KERNEL32(00000000,?,?,005E790A,?,000000FF,?,005E8754,00000000,?,0000001C,?,?,00000000), ref: 005E8DB2
Part of subcall function 005E8D7D: lstrcmpiW.KERNEL32(00000000,?,005E790A,?,000000FF,?,005E8754,00000000,?,0000001C,?,?), ref: 005E8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,005E8754,00000000,?,0000001C,?,?,00000000), ref: 005E7923
lstrcpyW.KERNEL32(00000000,?,?,005E8754,00000000,?,0000001C,?,?,00000000), ref: 005E7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,005E8754,00000000,?,0000001C,?,?,00000000), ref: 005E7984

Strings

cdecl, xrefs: 005E797B

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 28ef5eb99f280cf2c2964a909ed4cba0494e626b59c2883596cbf0a66844d1f5
Instruction ID: a1e5abd3a2a8273cfafdfc7b4d80fa33d9d22d735e7c23f9d5bda17cf377f988
Opcode Fuzzy Hash: 28ef5eb99f280cf2c2964a909ed4cba0494e626b59c2883596cbf0a66844d1f5
Instruction Fuzzy Hash: A411E93A200786ABCB195F35DC45E7A7BA9FF89350B50802AF986C7365EB319811C791

Function 00617CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00617D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00617D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00617D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,005FB7AD,00000000), ref: 00617D6B

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: d222301d6825b917013eea367d813c9a494b2b2f56739fb9c857466502544d17
Instruction ID: 7f0fb70dfd3c19db1e17da102d7626a2d39767f53c4eae5cdb4cab7e0c795497
Opcode Fuzzy Hash: d222301d6825b917013eea367d813c9a494b2b2f56739fb9c857466502544d17
Instruction Fuzzy Hash: C7119031605619AFCB109F28DC04AEA3BA7AF46375F198725F835CB2F0D73099A1CB90

Function 00615660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 006156BB
_wcslen.LIBCMT ref: 006156CD
_wcslen.LIBCMT ref: 006156D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00615816

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 8e29507358fb18d3afe586d267a60e95a9d30660cce1806faaa28d27b5a92a9c
Instruction ID: 4a930c09b15fd45f7e65cdbc2d5ea153e403cf4b8155ce941b9404bb19a0a85b
Opcode Fuzzy Hash: 8e29507358fb18d3afe586d267a60e95a9d30660cce1806faaa28d27b5a92a9c
Instruction Fuzzy Hash: 9511E131600608DADF209FA1CC85AEEB7BDAF91364F184426F916D6181E7708AC0CBA0

Function 005B1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e5e3e73ff7fe89a04c8d1470463f202043d66015b34f8799aa1834df10a5d8
Instruction ID: b8e8f7a31b1b4137765065cba8591bc2e46a156863f085c9155b7b39916cf091
Opcode Fuzzy Hash: 11e5e3e73ff7fe89a04c8d1470463f202043d66015b34f8799aa1834df10a5d8
Instruction Fuzzy Hash: 9E01DFB2205A067EF76116786CD1FA72E1DFF813B8F741725F520511D2DB20AC0041B4

Function 005E1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 005E1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005E1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005E1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005E1A8A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 29cc18b08b3516137bc07e0484dbd9c75b964dfb2c52aeae7fa6b0570ea51f94
Instruction ID: b838f37ed914b4479f6ab68ac24e3c0b94c477f842f5c3ce4109e231972f8c11
Opcode Fuzzy Hash: 29cc18b08b3516137bc07e0484dbd9c75b964dfb2c52aeae7fa6b0570ea51f94
Instruction Fuzzy Hash: C1113C3AD01219FFEB10DBA5CD85FADBB78FB04750F2000A1E601B7290D6716E50DB94

Function 005EE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005EE1FD
MessageBoxW.USER32(?,?,?,?), ref: 005EE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005EE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005EE24D

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 7a2672b6b6542dce7225682cd6670c61a3bda6535d606b30dd4646a55e0e48df
Instruction ID: bf64ffadc2c10fc2798c7a9c60d4c7bb37ffcbb3035f4aca7ad927ea40aa727c
Opcode Fuzzy Hash: 7a2672b6b6542dce7225682cd6670c61a3bda6535d606b30dd4646a55e0e48df
Instruction Fuzzy Hash: ED112B7AD04394BBC705DFA89C1ABDE7FAEAB46321F048216F924D3290D6B0CD0487A0

Function 005AD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,005ACFF9,00000000,00000004,00000000), ref: 005AD218
GetLastError.KERNEL32 ref: 005AD224
__dosmaperr.LIBCMT ref: 005AD22B
ResumeThread.KERNEL32(00000000), ref: 005AD249

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a5c358d3c1ed4bb085028fc2e21a9ac76b2c8c950985589141cd22536ac8ff7d
Instruction ID: 94b86c2041c721b159a1692295751d21dd070ff7b2a0f9ba47d134bb537af9ee
Opcode Fuzzy Hash: a5c358d3c1ed4bb085028fc2e21a9ac76b2c8c950985589141cd22536ac8ff7d
Instruction Fuzzy Hash: A201C07A845205BBCB217BA5DC09BAE7E79FFC3330F104229F926925D0DB708901C6B0

Function 00619EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

GetClientRect.USER32(?,?), ref: 00619F31
GetCursorPos.USER32(?), ref: 00619F3B
ScreenToClient.USER32(?,?), ref: 00619F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00619F7A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 15ff7550e3d62258af570620f4d7b3aa5b49482bd60c0682c934298579768dbf
Instruction ID: 779128c581c30d0d71796191f1fbb649ed431882e146d8f43c195688f9381273
Opcode Fuzzy Hash: 15ff7550e3d62258af570620f4d7b3aa5b49482bd60c0682c934298579768dbf
Instruction Fuzzy Hash: 8D11363290021ABFDB10DF68C8599EE77BAFB45311F084455F901E7140D330BA92CBB5

Function 0058600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0058604C
GetStockObject.GDI32(00000011), ref: 00586060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0058606A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: d98b6f8203474c7a6d0e9eb1a8f0a938122f263840202287f5f201ea1cfd67e4
Instruction ID: 4c3f8bf1a9b51580ea73ed12dd2d0c10bb85f1c43b10f5f0cf0965c5335d930c
Opcode Fuzzy Hash: d98b6f8203474c7a6d0e9eb1a8f0a938122f263840202287f5f201ea1cfd67e4
Instruction Fuzzy Hash: 7211AD72101508FFEF129FA48C58EEABF6AFF083A4F045206FE0462110C7329C60DBA1

Function 005A3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 005A3B56

Part of subcall function 005A3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 005A3AD2
Part of subcall function 005A3AA3: ___AdjustPointer.LIBCMT ref: 005A3AED

_UnwindNestedFrames.LIBCMT ref: 005A3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 005A3B7C
CallCatchBlock.LIBVCRUNTIME ref: 005A3BA4

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 8eafd17f77e247d3729621d4c0c85d79ade99dcc9fb5c1332d991a4fdae9d3b4
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 8B01293210014ABBDF125E95DC4AEEF7F6AFF8A758F044014FE4856121C772E961DBA0

Function 005B3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005813C6,00000000,00000000,?,005B301A,005813C6,00000000,00000000,00000000,?,005B328B,00000006,FlsSetValue), ref: 005B30A5
GetLastError.KERNEL32(?,005B301A,005813C6,00000000,00000000,00000000,?,005B328B,00000006,FlsSetValue,00622290,FlsSetValue,00000000,00000364,?,005B2E46), ref: 005B30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,005B301A,005813C6,00000000,00000000,00000000,?,005B328B,00000006,FlsSetValue,00622290,FlsSetValue,00000000), ref: 005B30BF

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 47fc601212e2342df1cc719877b39879ae20f80aca71134739f0a0aa70a79da8
Instruction ID: ead6b4269cac03d668f329894d4c1a3665fb3c51d2fa6c4a38f41886149f2775
Opcode Fuzzy Hash: 47fc601212e2342df1cc719877b39879ae20f80aca71134739f0a0aa70a79da8
Instruction Fuzzy Hash: 5901243674522AABCB309B78AC489DB7F99BF05B71B244620FD06F3140CB21EA01C6E0

Function 005E7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 005E747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 005E7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005E74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005E74CA

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4006f8e1daa7a04de04639c74768a357d4fee45297ed890eb0a5b69bcb21873e
Instruction ID: 2c235009066a19aa10bc72c513480be6266b071533d388497d68a08b1a117114
Opcode Fuzzy Hash: 4006f8e1daa7a04de04639c74768a357d4fee45297ed890eb0a5b69bcb21873e
Instruction Fuzzy Hash: 171104B1249358AFEB24CF15DC08F967FFCFB04B10F10846AA6A6D6091D770E904DB50

Function 005EB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,005EACD3,?,00008000), ref: 005EB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,005EACD3,?,00008000), ref: 005EB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,005EACD3,?,00008000), ref: 005EB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,005EACD3,?,00008000), ref: 005EB126

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 03748ec61124c5a65a520c9ea28b533d7af94b4d98d477f6baeb0c42f7ebc6e8
Instruction ID: 18eb7e55377c5dd774e68a565e739eac659fb002d85b33cd0653cf24f1ffa41a
Opcode Fuzzy Hash: 03748ec61124c5a65a520c9ea28b533d7af94b4d98d477f6baeb0c42f7ebc6e8
Instruction Fuzzy Hash: 7D117C30C40659E7DF08AFE5E9596EFBF78FF09322F009486D981B2241CB305550DB51

Function 00617E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00617E33
ScreenToClient.USER32(?,?), ref: 00617E4B
ScreenToClient.USER32(?,?), ref: 00617E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00617E8A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: a8161704bf123bb10c0a6c788c99fb5d9242fcdee2b8d5a0c9b9d760c9a58027
Instruction ID: 7fc86d3fac73ecd03671400a38a0f2b5cff6708953ff3e1aa88a5ad15fdcc372
Opcode Fuzzy Hash: a8161704bf123bb10c0a6c788c99fb5d9242fcdee2b8d5a0c9b9d760c9a58027
Instruction Fuzzy Hash: C61156B9D0024AAFDB41CF98C8849EEBBF5FF18310F549056E915E3210D775AA54CF90

Function 005E2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 005E2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 005E2DD6
GetCurrentThreadId.KERNEL32 ref: 005E2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 005E2DE4

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 56b6e741028e7d1f3a19ef89598b615cbee2467684b9170669f76514c253f08f
Instruction ID: b1f4f9f2f6518765b484652d3d98908395f770af4a3b06d3caf94a3746ad94a9
Opcode Fuzzy Hash: 56b6e741028e7d1f3a19ef89598b615cbee2467684b9170669f76514c253f08f
Instruction Fuzzy Hash: 48E06DB15812247AD7241B639C0EEEB3E6DFB42BB1F045116B205D1084DAA08841D6F0

Function 00618863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00599639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00599693
Part of subcall function 00599639: SelectObject.GDI32(?,00000000), ref: 005996A2
Part of subcall function 00599639: BeginPath.GDI32(?), ref: 005996B9
Part of subcall function 00599639: SelectObject.GDI32(?,00000000), ref: 005996E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00618887
LineTo.GDI32(?,?,?), ref: 00618894
EndPath.GDI32(?), ref: 006188A4
StrokePath.GDI32(?), ref: 006188B2

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a7b5b8fba77a2badbf6f1e5192b981f3eaa622098b7df950bc315340e2397786
Instruction ID: 645990a6773df07f8de3a42e09bd5c3acd658ffd055d539840b4289d06117118
Opcode Fuzzy Hash: a7b5b8fba77a2badbf6f1e5192b981f3eaa622098b7df950bc315340e2397786
Instruction Fuzzy Hash: BAF05E36081259FADB125F94AC0EFCE3F5AAF0A322F08C001FA11651E1C7755551CFE9

Function 005998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005998CC
SetTextColor.GDI32(?,?), ref: 005998D6
SetBkMode.GDI32(?,00000001), ref: 005998E9
GetStockObject.GDI32(00000005), ref: 005998F1

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 22ace57b590d5cb113d4ef42a6d3dbb3dc02276a0d6d4848ce57717b23ebc885
Instruction ID: 562fa9c6611d0ab9d9ba8420049efcec0d8d5ec91df43336657066b3f23715bc
Opcode Fuzzy Hash: 22ace57b590d5cb113d4ef42a6d3dbb3dc02276a0d6d4848ce57717b23ebc885
Instruction Fuzzy Hash: FDE03931284284AADB215B78AC0ABEC3F22AB16336F18D21BF6BA580E1C37146509B11

Function 005E162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 005E1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005E11D9), ref: 005E163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005E11D9), ref: 005E1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005E11D9), ref: 005E164F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 7e1a6c71603da86cd343512b4415e4430d3f0ef2952da9116d589793a6831edb
Instruction ID: 9c72189b549de8a8857e3636592260d052b66dfdbd399c17c84386f65c6aa79f
Opcode Fuzzy Hash: 7e1a6c71603da86cd343512b4415e4430d3f0ef2952da9116d589793a6831edb
Instruction Fuzzy Hash: C4E08631641211DBD7201FA19D0DFCA3F7DBF447A2F18D809F285C9080D6344540C754

Function 005DD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005DD858
GetDC.USER32(00000000), ref: 005DD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005DD882
ReleaseDC.USER32(?), ref: 005DD8A3

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7b39e588f5c329567ae8139d429a4cf90d0f508b26f2b0aa14a31c0dbd1d6625
Instruction ID: 5d1a940719f389248bb701d84a22c1f8a5dc06bde7d7a4eff199838c084549f9
Opcode Fuzzy Hash: 7b39e588f5c329567ae8139d429a4cf90d0f508b26f2b0aa14a31c0dbd1d6625
Instruction Fuzzy Hash: DAE01AB4840205EFCF41AFA0D90C6ADBFB2FB08321F18E40AE80AE7350C7384901AF90

Function 005DD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005DD86C
GetDC.USER32(00000000), ref: 005DD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005DD882
ReleaseDC.USER32(?), ref: 005DD8A3

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f8e2ee4d9252d507ac03ea6cf16a43b112925d411448efdeef50b4841bc48c8d
Instruction ID: 267ddbd8645ee6209d6e3892f9024b1a751696e77034bb62c95981f51098068e
Opcode Fuzzy Hash: f8e2ee4d9252d507ac03ea6cf16a43b112925d411448efdeef50b4841bc48c8d
Instruction Fuzzy Hash: CEE09A75D40205DFCF51AFA0D90C6ADBFB6BB48321B18A44AE94AE7250D73959019F90

Function 005F4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00587620: _wcslen.LIBCMT ref: 00587625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 005F4ED4

Strings

*, xrefs: 005F4E10
LPT, xrefs: 005F4DFB

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 864c74a573c4796ac7d76cbb517bf6f1bd79c865324eea093fd4c02963b342d5
Instruction ID: ff292c81ac8951ceef8b1658cdadeb04bef7e8ed5d1b0161e4681edc8df5931c
Opcode Fuzzy Hash: 864c74a573c4796ac7d76cbb517bf6f1bd79c865324eea093fd4c02963b342d5
Instruction Fuzzy Hash: 35914A75A002099FCB14DF58C484EAABFF5BF48314F188099E90A9B362D735ED85CF91

Function 005AE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005AE30D

Strings

pow, xrefs: 005AE2E5, 005AE302

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: bee6adec460aa11049e19fcee72ed18fea758b216ae2b705b07fca8b22d4627d
Instruction ID: 1a3ff8e51ccf194df9acb615e096ff8bfc711fc3686b4ef104556dff757cf73a
Opcode Fuzzy Hash: bee6adec460aa11049e19fcee72ed18fea758b216ae2b705b07fca8b22d4627d
Instruction Fuzzy Hash: 1A515C61A0C6079ACF257724C9473FD3F98FFC5780F308D99E0D5462A9EB34AC919A46

Function 00607771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(005D569E,00000000,?,0061CC08,?,00000000,00000000), ref: 006078DD

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

CharUpperBuffW.USER32(005D569E,00000000,?,0061CC08,00000000,?,00000000,00000000), ref: 0060783B

Strings

<sd, xrefs: 006077C8

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sd
API String ID: 3544283678-2633845394
Opcode ID: fed7c8d048d4c16504e98ba55da156f1db825ce462ff5e969105df9cd619c4e3
Instruction ID: 9ca54bdacf35dabbfe5e83da0e6a5be4de52f94c65a2639942c5afde7680a345
Opcode Fuzzy Hash: fed7c8d048d4c16504e98ba55da156f1db825ce462ff5e969105df9cd619c4e3
Instruction Fuzzy Hash: A2615D7295411AEACF08FBA4CC99DFEBB79BF54700F544525E942B3191EF206A06CBA0

Function 0059E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0059E1B1

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: f0b801e7e417a9ca3a820b861c475175dedd8b66407b678097a04478314ac052
Instruction ID: 7c5fec3bc0161918977e26b593ee9058667a9bdf3c79c08f5e0c8a9b213b5653
Opcode Fuzzy Hash: f0b801e7e417a9ca3a820b861c475175dedd8b66407b678097a04478314ac052
Instruction Fuzzy Hash: EE51FE39900286DBDF25EF28C4866FA7FA9FF65310F644057E891AF290D6349D42CBA0

Function 0059F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0059F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0059F2BB

Strings

@, xrefs: 0059F2AF

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 28d07bce2fe612fe2b7a7fc329af199d7f228700007f630ad68f05d9ea5d12d2
Instruction ID: b2e955a251f2807749a7cfb3fef992d876277ced32c76ffbcd4a786b30edb0a9
Opcode Fuzzy Hash: 28d07bce2fe612fe2b7a7fc329af199d7f228700007f630ad68f05d9ea5d12d2
Instruction Fuzzy Hash: 515157714087499BE320AF10E88ABAFBBF8FFC4304F91884DF59951195EB308529CB66

Function 00605745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 006057E0
_wcslen.LIBCMT ref: 006057EC

Strings

CALLARGARRAY, xrefs: 006057E6, 006057EB

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: c9d1f46647b27fd59774811dc1eaa4a1137822c9676afc3773c67234aeb287e9
Instruction ID: 4de20cafc42e244da985b4d29bac8cf18623e5dc50e2960eca4e948b6e3eb804
Opcode Fuzzy Hash: c9d1f46647b27fd59774811dc1eaa4a1137822c9676afc3773c67234aeb287e9
Instruction Fuzzy Hash: 57417031A4011A9FCB08DFA9C8858EFBBB6FF99350F148059E906A7291E7709D81CF90

Function 005FD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005FD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005FD13A

Strings

|, xrefs: 005FD10B

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 3b5d03a4ec45007e13e65ca0e372d04772567e706beca8c35a1d4cc3350acd59
Instruction ID: b1dca8f68c06ffe2847efd041986c4400e3d11ab4e060524dc40ae56b93bd632
Opcode Fuzzy Hash: 3b5d03a4ec45007e13e65ca0e372d04772567e706beca8c35a1d4cc3350acd59
Instruction Fuzzy Hash: EB310871D0020AABCF15EFA4CC89EEEBFBAFF45300F000019E915B6161D735AA16DB60

Function 0061356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00613621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0061365C

Strings

static, xrefs: 006135BC

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3945ff4591683b8438ef693c08d78ddc9c8b463f6afbb767e07a93010ec766ac
Instruction ID: 0ca825789b1961a709b284ebac89c963d04e8c6965b6f350c59399684d9722a8
Opcode Fuzzy Hash: 3945ff4591683b8438ef693c08d78ddc9c8b463f6afbb767e07a93010ec766ac
Instruction Fuzzy Hash: BC319E71100204AEDB10DF78DC81EFB77AAFF88764F149619F9A6D7290DA31AD91C7A0

Function 00614537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0061461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00614634

Strings

', xrefs: 0061458E

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 2e93cfe435855464bf5cc47d0406ece3862f91652ffbb185b957188ee3f062b2
Instruction ID: 3116bb459cea5795131d810d084b12fb8c3f9e6661c9b4078c9124e2fe74809d
Opcode Fuzzy Hash: 2e93cfe435855464bf5cc47d0406ece3862f91652ffbb185b957188ee3f062b2
Instruction Fuzzy Hash: 31311A74A0130A9FDF14CF69C990BDA7BB6FF49344F18406AE905AB351DB70A941CF90

Function 006131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0061327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00613287

Strings

Combobox, xrefs: 00613249

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d919a6899d9446bc4ef6616c0ed26a24274d13a014dc2ef9b2fa733dd1060fd8
Instruction ID: cef1d8e5d67e2817acdf171c794a7b3fae2634f74225aeee234cae4013642af5
Opcode Fuzzy Hash: d919a6899d9446bc4ef6616c0ed26a24274d13a014dc2ef9b2fa733dd1060fd8
Instruction Fuzzy Hash: 7B11B2713002197FEF21AF54DC85EFB3B6BEB98364F144129F919A7390D6319E918760

Function 00613710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0058600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0058604C
Part of subcall function 0058600E: GetStockObject.GDI32(00000011), ref: 00586060
Part of subcall function 0058600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0058606A

GetWindowRect.USER32(00000000,?), ref: 0061377A
GetSysColor.USER32(00000012), ref: 00613794

Strings

static, xrefs: 00613757

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 1840f39a56230e52276d10685dd0bf09a1dbe754252d35185582bc7ab9c514b8
Instruction ID: c76c0502d87d575727db693b467c67d427768f2523013652de4201afbdf071a0
Opcode Fuzzy Hash: 1840f39a56230e52276d10685dd0bf09a1dbe754252d35185582bc7ab9c514b8
Instruction Fuzzy Hash: B41159B261021AAFDB01DFA8CC46AEE7BBAFB08314F044515F956E2250E734E8519B50

Function 005FCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005FCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 005FCDA6

Strings

<local>, xrefs: 005FCD66

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 3b1badb956de4d2b8bc1902e3529af58e66d50b224854bf3ef1414b845aef938
Instruction ID: 7f2d9f0e7dc778ab9918ab213d1cd605fb036f981b8005d61156eb6b29d45033
Opcode Fuzzy Hash: 3b1badb956de4d2b8bc1902e3529af58e66d50b224854bf3ef1414b845aef938
Instruction Fuzzy Hash: 0311A07124567DBAD7284B668C49EFBBEA9FF127B4F00463AB209C3180D6789841D6F0

Function 00613429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006134AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006134BA

Strings

edit, xrefs: 0061348F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: d4f67ff8bb15e84e146c6fa153debf7a29eaf2a41db7892aee02aa4692c957cd
Instruction ID: 313520e4e512b90d48caf816f795216ae3ad79e4c04ed0eb06c35616a750f00c
Opcode Fuzzy Hash: d4f67ff8bb15e84e146c6fa153debf7a29eaf2a41db7892aee02aa4692c957cd
Instruction Fuzzy Hash: EE11BF71100218AFEB218F64DC44AEB37ABEB15374F544324F962933E0C731DC919750

Function 005E6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

CharUpperBuffW.USER32(?,?,?), ref: 005E6CB6
_wcslen.LIBCMT ref: 005E6CC2

Strings

STOP, xrefs: 005E6CBC, 005E6CC1

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: db6f6cb5abe67218d13e1423ab1e587f1d18c82132d43d750bbb2ea97a5ef121
Instruction ID: 04a2dabece942dc02ae92234a380a87307a3b5fd5fc02e73b43f97150175ace5
Opcode Fuzzy Hash: db6f6cb5abe67218d13e1423ab1e587f1d18c82132d43d750bbb2ea97a5ef121
Instruction Fuzzy Hash: 5C0104326005678BCB24AFBECC858BF7FA5FAB17D07900929E892A2191EA31DC00C750

Function 005E1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 005E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005E3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 005E1D4C

Strings

ComboBox, xrefs: 005E1CEB
ListBox, xrefs: 005E1D16

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 91a0eda6ca7a9eabbe6369b04c94490c031f94beb974803b657be72fbe7fb05f
Instruction ID: 01ebe2ea564940a5dcc37f3dbdec1eea41cdea4528effd71389b60cd4836b44f
Opcode Fuzzy Hash: 91a0eda6ca7a9eabbe6369b04c94490c031f94beb974803b657be72fbe7fb05f
Instruction Fuzzy Hash: 8E01D871601619ABCB0CFBA5CD59CFE7B69FF86350B14091AF8B2672C1EA3159088760

Function 005E1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 005E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005E3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 005E1C46

Strings

ComboBox, xrefs: 005E1BE5
ListBox, xrefs: 005E1C10

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f99b5bbf20dddd8ad748d1ae45658a0a6dde9a0ab5087e11f28cbc6c48c92110
Instruction ID: b53a9e540cc44b2031671c736bc61004915081330b5ddabb92c03831e9e1951d
Opcode Fuzzy Hash: f99b5bbf20dddd8ad748d1ae45658a0a6dde9a0ab5087e11f28cbc6c48c92110
Instruction Fuzzy Hash: 8E01FC71B8114567CB08F791C95A9FF7BA8BF51340F240015B88AB3181EA319E0887B5

Function 005E1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 005E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005E3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 005E1CC8

Strings

ComboBox, xrefs: 005E1C69
ListBox, xrefs: 005E1C94

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7045960f24c83f8b50076f1a2c9e880a780b3c81f80024aa8d9d7c05bed0a94f
Instruction ID: c55bcb458d57e1462431b367455e77b5215581baaad29ebe2be058d87f4f8d37
Opcode Fuzzy Hash: 7045960f24c83f8b50076f1a2c9e880a780b3c81f80024aa8d9d7c05bed0a94f
Instruction Fuzzy Hash: 6A01DBB1A8155567DB08F791CA1AAFE7BA8BF51380F240015BC46B3281EA319F08C775

Function 0059A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0059A529

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Strings

3y], xrefs: 0059A545, 0059A54D, 0059A552
,%e, xrefs: 0059A509

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%e$3y]
API String ID: 2551934079-1905814648
Opcode ID: 4460d626c346ca263dbfb144c213f953a564fc41fc66bb7c8b557bcb9929a994
Instruction ID: 202ceedc26fb9df02e777ab68f4292db79605974d79f31cb5a7d60c65ef2b109
Opcode Fuzzy Hash: 4460d626c346ca263dbfb144c213f953a564fc41fc66bb7c8b557bcb9929a994
Instruction Fuzzy Hash: 2A012632B006228BCE04F768EC5FABD3F55FB86721F451428F906671C2EE109D418AE7

Function 005E1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 005E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005E3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 005E1DD3

Strings

ComboBox, xrefs: 005E1D75
ListBox, xrefs: 005E1DA0

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7889f9fc98986e9c3b7d4f89cc9010cc751b30af8c4fb212bef69c19fc8c8c02
Instruction ID: 4739c240e1453bbb6c78f77d30d1aebd6e92d8da90726cbd416b54cb90b37b5a
Opcode Fuzzy Hash: 7889f9fc98986e9c3b7d4f89cc9010cc751b30af8c4fb212bef69c19fc8c8c02
Instruction Fuzzy Hash: D4F0F4B1A4161A67DB08F7A5CD5AAFE7B68BF42350F080915B862732C2EA7199088764

Function 0059FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 005A0668

Part of subcall function 005A32A4: RaiseException.KERNEL32(?,?,?,005A068A,?,00651444,?,?,?,?,?,?,005A068A,00581129,00648738,00581129), ref: 005A3304

__CxxThrowException@8.LIBVCRUNTIME ref: 005A0685

Strings

Unknown exception, xrefs: 005A0692

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: a908f41aa3a4090f46a966f1bffd00da26cf31433c8fb5a2ab4385f721ff1241
Instruction ID: e08f7cb109eded89d0f95696aad650032b683b6bb7dbf2e21618192b0d7b12f3
Opcode Fuzzy Hash: a908f41aa3a4090f46a966f1bffd00da26cf31433c8fb5a2ab4385f721ff1241
Instruction Fuzzy Hash: 79F0C234D0030E778F00BAA4E84AD9E7F6D7E82354B604531B814D65D1EF71EA65CAC0

Function 00618172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00653018,0065305C), ref: 006181BF
CloseHandle.KERNEL32 ref: 006181D1

Strings

\0e, xrefs: 0061818A

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0e
API String ID: 3712363035-2021240290
Opcode ID: a9ec03087abd1a8257b0829a2f5b131c118e5240ad5751d55c0bd63cef2f476b
Instruction ID: 2a818f59ba254d6304f405f2201aa4a637abc5126cce01adc6cb4e983ccf86fe
Opcode Fuzzy Hash: a9ec03087abd1a8257b0829a2f5b131c118e5240ad5751d55c0bd63cef2f476b
Instruction Fuzzy Hash: B4F089B1640320BEE710AB656C4AFBB3E5EEB05FA6F005421BF08D52E1D6758E1483F4

Function 0060747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00607493
_wcslen.LIBCMT ref: 006074B9

Strings

3, 3, 16, 1, xrefs: 00607483

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 0f8385643e5e52935e3aff54a115a26159879e3887356c55af2fa5bf00aee68e
Instruction ID: 8f5a5c5b856edb5d40c2f48a68f572a07f088816b81728140a858f0a67426fe5
Opcode Fuzzy Hash: 0f8385643e5e52935e3aff54a115a26159879e3887356c55af2fa5bf00aee68e
Instruction Fuzzy Hash: A5E02B02A4426114D33516B99CC59BF9ECFDFC6750710182BF981C23A6EAD4ADA193A0

Function 005E0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 005E0B23

Strings

Error allocating memory., xrefs: 005E0B1C
AutoIt, xrefs: 005E0B17

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 40ffd3ad9049910b0adadcc2b66e9fed184fc5a6f47bd460d92d0a6a773f9e3c
Instruction ID: 4ede93399307f3ae51ee2d04c245d49cebc6e71f13404fd2dd12907127778d28
Opcode Fuzzy Hash: 40ffd3ad9049910b0adadcc2b66e9fed184fc5a6f47bd460d92d0a6a773f9e3c
Instruction Fuzzy Hash: 80E0D83128434927D31436947C07FCD7E8AAF46F20F140426FB88D54C38AD2649007E9

Function 005A0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0059F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,005A0D71,?,?,?,0058100A), ref: 0059F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0058100A), ref: 005A0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0058100A), ref: 005A0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 005A0D7F

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: b340b0123fb8561164e094fb7a006a904c3091dc5ffcb92cf44d5f96d103a828
Instruction ID: 5f8210a09de4db085c5adfcddcc20ba47276b1bda703b1c2359891ee19c5aba9
Opcode Fuzzy Hash: b340b0123fb8561164e094fb7a006a904c3091dc5ffcb92cf44d5f96d103a828
Instruction Fuzzy Hash: A5E06D742007018BD7609FB8D40838A7FE1BB01744F04992DE486C66A1DBB5E4888B91

Function 0059E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0059E3D5

Strings

8%e, xrefs: 0059E3CA
0%e, xrefs: 0059E3B5

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%e$8%e
API String ID: 1385522511-3821002725
Opcode ID: f45f6209c3cd482c205fe6ee0cc7f2f169f2fd32f1c83d3e57d4e5b27ea058b0
Instruction ID: 8ceef89706a1fa771ddb4af791a60f86b09a5fbd0aa590ddfd2615ada61bf67c
Opcode Fuzzy Hash: f45f6209c3cd482c205fe6ee0cc7f2f169f2fd32f1c83d3e57d4e5b27ea058b0
Instruction Fuzzy Hash: 44E08635414B12CBCF04DF18F87AA9C3B57FB57321F502965E5128B1D1BB3038818655

Function 005F3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 005F302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 005F3044

Strings

aut, xrefs: 005F3038

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ec33ad5f7bcfc829caa5e09b7985bc2b3128a2a1c97a15d2f7dbf38adad3b0f0
Instruction ID: 666adfac950e5177cd147c7bdc1623bbfee17d195470bae8952a3d3d19b0fea4
Opcode Fuzzy Hash: ec33ad5f7bcfc829caa5e09b7985bc2b3128a2a1c97a15d2f7dbf38adad3b0f0
Instruction Fuzzy Hash: 8DD05EB254032867DB20A7A4AC0EFCB3A6CDB05760F0002A2B655E20A1DAF09A84CAD0

Function 005DD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005DD220

Strings

X64, xrefs: 005DD2A8
%.3d, xrefs: 005DD22B

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 3d05c6721c25b5936604f9e6c64aac99faec4a0d9062bc522a410041f26c2c58
Instruction ID: 0be81f10fd620b03048ae592d905ff65f9f9e80d3573b7d4fc3f88e7650b0a78
Opcode Fuzzy Hash: 3d05c6721c25b5936604f9e6c64aac99faec4a0d9062bc522a410041f26c2c58
Instruction Fuzzy Hash: 66D012A5848109EACFA0DAD4CC498FDBB7CFB18341F508853F806D1140E634C5086771

Function 00612356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0061236C
PostMessageW.USER32(00000000), ref: 00612373

Part of subcall function 005EE97B: Sleep.KERNEL32 ref: 005EE9F3

Strings

Shell_TrayWnd, xrefs: 00612365

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a75239c9ad436fa7ebebc2783d8e7aa0562e8be6db10f69fd4c48eb5cac033a5
Instruction ID: d176b265a682d6e6ddf01c231634b20d47afffb6d59288e0833489bed816e163
Opcode Fuzzy Hash: a75239c9ad436fa7ebebc2783d8e7aa0562e8be6db10f69fd4c48eb5cac033a5
Instruction Fuzzy Hash: 89D0A9323C03007AE368A371DC0FFCAAA06AB00B20F0089027241EA0D0C8A0A800CA44

Function 00612322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0061232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0061233F

Part of subcall function 005EE97B: Sleep.KERNEL32 ref: 005EE9F3

Strings

Shell_TrayWnd, xrefs: 00612325

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d456f348369beae6f00c0803dc9d79059250b57cc83c952bfdfd22022df33a52
Instruction ID: 9244b57439177c9ea0712f6ba960dc4024b26fd7413f6c0b96b4d8207ef95528
Opcode Fuzzy Hash: d456f348369beae6f00c0803dc9d79059250b57cc83c952bfdfd22022df33a52
Instruction Fuzzy Hash: 31D022323D0300BBE368B371DC0FFCABA06AB00B20F0089037345EA0D0C8F0A800CA40

Function 005BBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 005BBE93
GetLastError.KERNEL32 ref: 005BBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005BBEFC

Memory Dump Source

Source File: 00000000.00000002.2004990424.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2004975036.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005042746.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005092349.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005107827.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 39075770a62c876b8b9e1971515d70eb8d48675152ff084dfb1e7a2e9793c688
Instruction ID: ad0935635b3d1796ff2c1fc37de5135a8d2ed5dbc8361830454100fa21bf953b
Opcode Fuzzy Hash: 39075770a62c876b8b9e1971515d70eb8d48675152ff084dfb1e7a2e9793c688
Instruction Fuzzy Hash: 8441A534604206AFEF218FA5CC84AFE7FA9BF42720F144169F959571A1DBF1AD01DB60

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=t+KOSkY1Ff+WcHu&MD=aCwnZKxN HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=t+KOSkY1Ff+WcHu&MD=aCwnZKxN HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49734 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\LICENSE

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\_metadata\verified_contents.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\manifest.fingerprint

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\manifest.json

C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping3408_938942196\sets.json

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Static File Info

General

Windows Analysis Report
file.exe

Function 005842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 005842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 005C2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 005ED4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Function 005EDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Function 0060AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00582CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 005C065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0058344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00582B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00583170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00581410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Function 00582C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00583B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre