Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1523771
MD5:	8a053c1ee0f0ad79e8cd1a0788741383
SHA1:	b6e1e501874d798c8978e6e376be936386b87866
SHA256:	a1fb3e3bfa47fcb6a213addb2125c0971eccaba914830be8f9e2104c2edb2268
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8A053C1EE0F0AD79E8CD1A0788741383)

chrome.exe (PID: 7132 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2996 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2012,i,1735080414500895824,7393849833326395272,262144 --disable-features=CrashRecovery /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7092	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00AAEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00AAEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AAED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00AAED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00AAEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A9AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00A9AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AC9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00AC9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1648101488.0000000000AF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1ba5fc97-3
Source: file.exe, 00000000.00000000.1648101488.0000000000AF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d6320fbb-f
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b78d8275-d
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e8eb5046-9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A9D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00A9D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A91201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00A91201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A9E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00A9E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3BF40	0_2_00A3BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A38060	0_2_00A38060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA2046	0_2_00AA2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A98298	0_2_00A98298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6E4FF	0_2_00A6E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6676B	0_2_00A6676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC4873	0_2_00AC4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5CAA0	0_2_00A5CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3CAF0	0_2_00A3CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4CC39	0_2_00A4CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A66DD9	0_2_00A66DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4D064	0_2_00A4D064
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A391C0	0_2_00A391C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4B119	0_2_00A4B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A51394	0_2_00A51394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A51706	0_2_00A51706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5781B	0_2_00A5781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A519B0	0_2_00A519B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A37920	0_2_00A37920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4997D	0_2_00A4997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A57A4A	0_2_00A57A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A57CA7	0_2_00A57CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A51C77	0_2_00A51C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A69EEE	0_2_00A69EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ABBE44	0_2_00ABBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A51F32	0_2_00A51F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A50A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00A4F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.troj.evad.winEXE@26/8@8/5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AA37B5 GetLastError,FormatMessageW,

0_2_00AA37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A910BF AdjustTokenPrivileges,CloseHandle,		0_2_00A910BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00A916C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AA51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00AA51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A9D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00A9D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AA648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00AA648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A342A2

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2012,i,1735080414500895824,7393849833326395272,262144 --disable-features=CrashRecovery /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2012,i,1735080414500895824,7393849833326395272,262144 --disable-features=CrashRecovery /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A50A76 push ecx; ret

0_2_00A50A89

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00A4F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00AC1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95964

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.2 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A9DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA68EE FindFirstFileW,FindClose,	0_2_00AA68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00AA698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A9D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A9D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AA9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00AA979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00AA9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00AA5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A342DE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AAEAA2 BlockInput,

0_2_00AAEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A62622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A54CE8 mov eax, dword ptr fs:[00000030h]

0_2_00A54CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A90B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00A90B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A62622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A5083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A509D5 SetUnhandledExceptionFilter,	0_2_00A509D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A50C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A50C21

Source: C:\Users\user\Desktop\file.exe

0_2_00A91201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A72BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A72BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A9B226 SendInput,keybd_event,

0_2_00A9B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AB22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00AB22DA

Source: C:\Users\user\Desktop\file.exe

0_2_00A90B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A91663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00A91663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A50698 cpuid

0_2_00A50698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AA8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00AA8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A8D27A GetUserNameW,

0_2_00A8D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A6BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00A6BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A342DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7092, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7092, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00AB1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00AB1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	12 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://apis.google.com/js/api.js	0%	URL Reputation	safe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.185.174	true	false	unknown
www.google.com	142.250.184.196	true	false	unknown
youtube.com	142.250.186.110	true	false	unknown
www.youtube.com	unknown	unknown	false	unknown
86.23.85.13.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/favicon.ico	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://accounts.google	file.exe, 00000000.00000002.1650355401.0000000000E58000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://apis.google.com/js/api.js	chromecache_62.3.dr	false	URL Reputation: safe	unknown
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_62.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.196	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.174	youtube-ui.l.google.com	United States	15169	GOOGLEUS	false
142.250.186.110	youtube.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523771
Start date and time:	2024-10-02 01:38:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@26/8@8/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 36 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.195, 172.217.16.206, 74.125.71.84, 34.104.35.123, 142.250.185.67, 172.217.18.3, 142.250.186.138, 142.250.185.202, 142.250.184.202, 216.58.206.42, 142.250.185.106, 142.250.181.234, 172.217.16.202, 216.58.206.74, 142.250.185.74, 142.250.185.234, 142.250.74.202, 142.250.184.234, 142.250.186.74, 142.250.185.170, 142.250.185.138, 172.217.23.106, 142.250.186.106, 172.217.16.138, 142.250.186.170, 172.217.18.10, 142.250.186.42, 93.184.221.240, 192.229.221.95, 172.217.16.195, 142.250.186.46, 142.250.184.206
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://files.constantcontact.com/2d77228b901/702368a5-3f96-4cb6-b61d-aab8728be1ff.pdf	Get hash	malicious	Unknown	Browse
	https://www.elightsailorsbank.uksfholdings.com/	Get hash	malicious	Unknown	Browse
	https://docs.google.com/presentation/d/e/2PACX-1vRuKBrQqA6BNfxZo0BAmhaaVHWHS5xGpGnvHJ3KKWtc6LdsEuOoWSlBNaOKZjp5GXLjhWJKRMb-grou/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse
	https://sanbernardinoscounty.telcom-info.com/	Get hash	malicious	HtmlDropper	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	https://memakers-my.sharepoint.com/:f:/p/saeed/EuiMdoZoPpVNthIaEwKAedkBDFKyUdriWNhHe2RDzQxMdQ?e=5hQMeB&xsdata=MDV8MDJ8cGhlcm1hbkBidXJiYW5rY2EuZ292fDU4NDFjYjVhMjQzNDQ2YjU2ODZmMDhkY2Q3ZjZlNzZlfDY0OGRhZTMxMTgyYjRkYTI5OWVmMjU4MWFiOGU4YmVhfDB8MHw2Mzg2MjI3MDI2NDY5MTMzMDB8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDQwMDAwfHx8&sdata=STFxSjJFWXZ2WnFoSWJsSml1L3V4emhPdHNVTmE5OWJmbjZsSDRKcjlyND0%3d	Get hash	malicious	HTMLPhisher	Browse
	Electronic_Receipt_ATT0001.htm	Get hash	malicious	Unknown	Browse
	http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630	Get hash	malicious	Unknown	Browse
	http://www.johnhdaniel.com	Get hash	malicious	Unknown	Browse
	https://convertwithwave.com	Get hash	malicious	Unknown	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://files.constantcontact.com/2d77228b901/702368a5-3f96-4cb6-b61d-aab8728be1ff.pdf	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 13.85.23.206 20.114.59.183 20.12.23.50
	https://www.elightsailorsbank.uksfholdings.com/	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 13.85.23.206 20.114.59.183 20.12.23.50
	https://docs.google.com/presentation/d/e/2PACX-1vRuKBrQqA6BNfxZo0BAmhaaVHWHS5xGpGnvHJ3KKWtc6LdsEuOoWSlBNaOKZjp5GXLjhWJKRMb-grou/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 13.85.23.206 20.114.59.183 20.12.23.50
	https://sanbernardinoscounty.telcom-info.com/	Get hash	malicious	HtmlDropper	Browse	13.85.23.86 184.28.90.27 13.85.23.206 20.114.59.183 20.12.23.50
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.85.23.86 184.28.90.27 13.85.23.206 20.114.59.183 20.12.23.50
	Electronic_Receipt_ATT0001.htm	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 13.85.23.206 20.114.59.183 20.12.23.50
	http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 13.85.23.206 20.114.59.183 20.12.23.50
	http://www.johnhdaniel.com	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 13.85.23.206 20.114.59.183 20.12.23.50
	https://convertwithwave.com	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 13.85.23.206 20.114.59.183 20.12.23.50
	http://detection.fyi	Get hash	malicious	NetSupport RAT, Lsass Dumper, Mimikatz, Nukesped, Quasar, Trickbot, Xmrig	Browse	13.85.23.86 184.28.90.27 13.85.23.206 20.114.59.183 20.12.23.50

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (553)
Category:	downloaded
Size (bytes):	706790
Entropy (8bit):	5.792203668061935
Encrypted:	false
SSDEEP:	6144:HVXWBQkPdzg5pTX1ROv/duPzd8C3s891/v:gfd8j91/v
MD5:	EC96CF2B9F4521835FDE7FAC7489AFBF
SHA1:	E923628C8180BBAFE232BA92D1070F4C96BEF405
SHA-256:	138B369B87F4B601584348DF97E778513A9AAA9B27ACC0941F551D77F519CDF9
SHA-512:	48A00CF55E2760B26749DC6C4B4EF8591AFD58D1C8D11FF48F6A47F4293631F7CBC45AA53A6F691B49D082D2EDD7F7320C9802329AFB9835961A23DCEBAC7B3A
Malicious:	false
Reputation:	low
URL:	"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBimEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlFJRy1OqtUmLpt_G_DWG-oJaagYwQ/m=_b,_tp"
Preview:	"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x286081c4, 0x20469860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT././. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

Chrome Cache Entry: 63

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 64

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
Category:	downloaded
Size (bytes):	52280
Entropy (8bit):	7.995413196679271
Encrypted:	true
SSDEEP:	1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
MD5:	F61F0D4D0F968D5BBA39A84C76277E1A
SHA1:	AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
SHA-256:	57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
SHA-512:	6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
Malicious:	false
Reputation:	high, very likely benign file
URL:	https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
Preview:	wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.\|(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.51w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e......71.?.7.ORv.?...l...G\|.P...\|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....\|..D.d..

Chrome Cache Entry: 65

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	84
Entropy (8bit):	4.875266466142591
Encrypted:	false
SSDEEP:	3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
MD5:	87B6333E98B7620EA1FF98D1A837A39E
SHA1:	105DE6815B0885357DE1414BFC0D77FCC9E924EF
SHA-256:	DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
SHA-512:	867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
Preview:	Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.581133758091637
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	918'016 bytes
MD5:	8a053c1ee0f0ad79e8cd1a0788741383
SHA1:	b6e1e501874d798c8978e6e376be936386b87866
SHA256:	a1fb3e3bfa47fcb6a213addb2125c0971eccaba914830be8f9e2104c2edb2268
SHA512:	94490fda5e002d24a4937a6be622848701ce4ce0b3c5e48bd76ea083bdd2f6fb66bf74c6403554ef98ecb8781c92b4005b02d5db64e2fc4d3bca19faeaad8c4f
SSDEEP:	12288:HqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaTTQ:HqDEvCTbMWu7rQYlBQcBiT6rprG8anQ
TLSH:	0B159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FC87B1 [Tue Oct 1 23:37:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F34A8C2A043h
jmp 00007F34A8C2994Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F34A8C29B2Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F34A8C29AFAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F34A8C2C6EDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F34A8C2C738h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F34A8C2C721h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9750	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9750	0x9800	f97dc394596efa6debd060cc0c00cadc	False	0.29422800164473684	data	5.2263968035910775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xa18	data			1.0042569659442724
RT_GROUP_ICON	0xdd1d0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd248	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd25c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd270	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd284	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd360	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 01:38:50.552994013 CEST	49675	443	192.168.2.4	173.222.162.32
Oct 2, 2024 01:38:56.892304897 CEST	50700	443	192.168.2.4	142.250.186.110
Oct 2, 2024 01:38:56.892333984 CEST	443	50700	142.250.186.110	192.168.2.4
Oct 2, 2024 01:38:56.892402887 CEST	50700	443	192.168.2.4	142.250.186.110
Oct 2, 2024 01:38:56.892987013 CEST	50700	443	192.168.2.4	142.250.186.110
Oct 2, 2024 01:38:56.892999887 CEST	443	50700	142.250.186.110	192.168.2.4
Oct 2, 2024 01:38:57.530097961 CEST	443	50700	142.250.186.110	192.168.2.4
Oct 2, 2024 01:38:57.531186104 CEST	50700	443	192.168.2.4	142.250.186.110
Oct 2, 2024 01:38:57.531200886 CEST	443	50700	142.250.186.110	192.168.2.4
Oct 2, 2024 01:38:57.531554937 CEST	443	50700	142.250.186.110	192.168.2.4
Oct 2, 2024 01:38:57.531622887 CEST	50700	443	192.168.2.4	142.250.186.110
Oct 2, 2024 01:38:57.533052921 CEST	443	50700	142.250.186.110	192.168.2.4
Oct 2, 2024 01:38:57.533127069 CEST	50700	443	192.168.2.4	142.250.186.110
Oct 2, 2024 01:38:57.560220957 CEST	50700	443	192.168.2.4	142.250.186.110
Oct 2, 2024 01:38:57.560264111 CEST	443	50700	142.250.186.110	192.168.2.4
Oct 2, 2024 01:38:57.561835051 CEST	50700	443	192.168.2.4	142.250.186.110
Oct 2, 2024 01:38:57.561841965 CEST	443	50700	142.250.186.110	192.168.2.4
Oct 2, 2024 01:38:57.615026951 CEST	50700	443	192.168.2.4	142.250.186.110
Oct 2, 2024 01:38:57.812259912 CEST	443	50700	142.250.186.110	192.168.2.4
Oct 2, 2024 01:38:57.812311888 CEST	50700	443	192.168.2.4	142.250.186.110
Oct 2, 2024 01:38:57.812385082 CEST	443	50700	142.250.186.110	192.168.2.4
Oct 2, 2024 01:38:57.812418938 CEST	443	50700	142.250.186.110	192.168.2.4
Oct 2, 2024 01:38:57.812454939 CEST	50700	443	192.168.2.4	142.250.186.110
Oct 2, 2024 01:38:57.820195913 CEST	50700	443	192.168.2.4	142.250.186.110
Oct 2, 2024 01:38:57.820204973 CEST	443	50700	142.250.186.110	192.168.2.4
Oct 2, 2024 01:38:57.830158949 CEST	50705	443	192.168.2.4	142.250.185.174
Oct 2, 2024 01:38:57.830255985 CEST	443	50705	142.250.185.174	192.168.2.4
Oct 2, 2024 01:38:57.830329895 CEST	50705	443	192.168.2.4	142.250.185.174
Oct 2, 2024 01:38:57.831486940 CEST	50705	443	192.168.2.4	142.250.185.174
Oct 2, 2024 01:38:57.831525087 CEST	443	50705	142.250.185.174	192.168.2.4
Oct 2, 2024 01:38:58.461812019 CEST	443	50705	142.250.185.174	192.168.2.4
Oct 2, 2024 01:38:58.462106943 CEST	50705	443	192.168.2.4	142.250.185.174
Oct 2, 2024 01:38:58.462179899 CEST	443	50705	142.250.185.174	192.168.2.4
Oct 2, 2024 01:38:58.462532997 CEST	443	50705	142.250.185.174	192.168.2.4
Oct 2, 2024 01:38:58.462610006 CEST	50705	443	192.168.2.4	142.250.185.174
Oct 2, 2024 01:38:58.463146925 CEST	443	50705	142.250.185.174	192.168.2.4
Oct 2, 2024 01:38:58.463252068 CEST	50705	443	192.168.2.4	142.250.185.174
Oct 2, 2024 01:38:58.464234114 CEST	50705	443	192.168.2.4	142.250.185.174
Oct 2, 2024 01:38:58.464318991 CEST	443	50705	142.250.185.174	192.168.2.4
Oct 2, 2024 01:38:58.464411974 CEST	50705	443	192.168.2.4	142.250.185.174
Oct 2, 2024 01:38:58.464431047 CEST	443	50705	142.250.185.174	192.168.2.4
Oct 2, 2024 01:38:58.504978895 CEST	50705	443	192.168.2.4	142.250.185.174
Oct 2, 2024 01:38:58.761609077 CEST	443	50705	142.250.185.174	192.168.2.4
Oct 2, 2024 01:38:58.761624098 CEST	443	50705	142.250.185.174	192.168.2.4
Oct 2, 2024 01:38:58.761678934 CEST	443	50705	142.250.185.174	192.168.2.4
Oct 2, 2024 01:38:58.761722088 CEST	50705	443	192.168.2.4	142.250.185.174
Oct 2, 2024 01:38:58.761759996 CEST	50705	443	192.168.2.4	142.250.185.174
Oct 2, 2024 01:38:58.764126062 CEST	50705	443	192.168.2.4	142.250.185.174
Oct 2, 2024 01:38:58.764147043 CEST	443	50705	142.250.185.174	192.168.2.4
Oct 2, 2024 01:39:00.160777092 CEST	49675	443	192.168.2.4	173.222.162.32
Oct 2, 2024 01:39:01.247437000 CEST	50710	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:39:01.247464895 CEST	443	50710	142.250.184.196	192.168.2.4
Oct 2, 2024 01:39:01.247539043 CEST	50710	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:39:01.247772932 CEST	50710	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:39:01.247780085 CEST	443	50710	142.250.184.196	192.168.2.4
Oct 2, 2024 01:39:01.314867973 CEST	50711	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:01.314924002 CEST	443	50711	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:01.314996004 CEST	50711	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:01.316641092 CEST	50711	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:01.316648960 CEST	443	50711	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:01.879631996 CEST	443	50710	142.250.184.196	192.168.2.4
Oct 2, 2024 01:39:01.879853964 CEST	50710	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:39:01.879865885 CEST	443	50710	142.250.184.196	192.168.2.4
Oct 2, 2024 01:39:01.880711079 CEST	443	50710	142.250.184.196	192.168.2.4
Oct 2, 2024 01:39:01.880770922 CEST	50710	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:39:01.881793976 CEST	50710	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:39:01.881839991 CEST	443	50710	142.250.184.196	192.168.2.4
Oct 2, 2024 01:39:01.926398993 CEST	50710	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:39:01.926408052 CEST	443	50710	142.250.184.196	192.168.2.4
Oct 2, 2024 01:39:01.960185051 CEST	443	50711	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:01.960272074 CEST	50711	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:01.967274904 CEST	50711	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:01.967291117 CEST	443	50711	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:01.967530012 CEST	443	50711	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:01.976629019 CEST	50710	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:39:02.013775110 CEST	50711	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:02.055425882 CEST	443	50711	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:02.231800079 CEST	443	50711	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:02.231843948 CEST	443	50711	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:02.231918097 CEST	50711	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:02.297707081 CEST	50711	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:02.297744036 CEST	443	50711	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:02.297759056 CEST	50711	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:02.297766924 CEST	443	50711	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:02.446005106 CEST	50714	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:02.446053028 CEST	443	50714	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:02.446116924 CEST	50714	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:02.446398020 CEST	50714	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:02.446412086 CEST	443	50714	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:03.218298912 CEST	443	50714	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:03.218385935 CEST	50714	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:03.220328093 CEST	50714	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:03.220340967 CEST	443	50714	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:03.220561981 CEST	443	50714	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:03.222524881 CEST	50714	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:03.267404079 CEST	443	50714	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:03.500682116 CEST	443	50714	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:03.500735998 CEST	443	50714	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:03.500895023 CEST	50714	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:03.501419067 CEST	50714	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:03.501434088 CEST	443	50714	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:03.501442909 CEST	50714	443	192.168.2.4	184.28.90.27
Oct 2, 2024 01:39:03.501449108 CEST	443	50714	184.28.90.27	192.168.2.4
Oct 2, 2024 01:39:04.217605114 CEST	50710	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:39:04.263403893 CEST	443	50710	142.250.184.196	192.168.2.4
Oct 2, 2024 01:39:04.483880997 CEST	443	50710	142.250.184.196	192.168.2.4
Oct 2, 2024 01:39:04.483921051 CEST	443	50710	142.250.184.196	192.168.2.4
Oct 2, 2024 01:39:04.483957052 CEST	443	50710	142.250.184.196	192.168.2.4
Oct 2, 2024 01:39:04.483983994 CEST	443	50710	142.250.184.196	192.168.2.4
Oct 2, 2024 01:39:04.484082937 CEST	443	50710	142.250.184.196	192.168.2.4
Oct 2, 2024 01:39:04.484095097 CEST	50710	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:39:04.484095097 CEST	50710	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:39:04.484128952 CEST	50710	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:39:04.484960079 CEST	50710	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:39:04.484968901 CEST	443	50710	142.250.184.196	192.168.2.4
Oct 2, 2024 01:39:12.860697031 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:12.860728979 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:12.860801935 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:12.861803055 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:12.861814022 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:13.443660021 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:13.443747997 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:13.447345018 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:13.447351933 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:13.447602034 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:13.489237070 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:14.700639009 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:14.747400045 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:14.893954992 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:14.893986940 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:14.893996954 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:14.894041061 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:14.894074917 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:14.894076109 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:14.894102097 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:14.894119978 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:14.894119978 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:14.894130945 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:14.894156933 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:14.894180059 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:14.894238949 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:14.894273043 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:14.894840956 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:15.809967041 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:15.809988022 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:15.809999943 CEST	50722	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:15.810004950 CEST	443	50722	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:20.028713942 CEST	56667	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:39:20.033500910 CEST	53	56667	1.1.1.1	192.168.2.4
Oct 2, 2024 01:39:20.033588886 CEST	56667	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:39:20.038363934 CEST	53	56667	1.1.1.1	192.168.2.4
Oct 2, 2024 01:39:20.496834993 CEST	56667	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:39:20.502175093 CEST	53	56667	1.1.1.1	192.168.2.4
Oct 2, 2024 01:39:20.502228022 CEST	56667	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:39:22.512214899 CEST	58615	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:39:22.516997099 CEST	53	58615	1.1.1.1	192.168.2.4
Oct 2, 2024 01:39:22.519331932 CEST	58615	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:39:22.524164915 CEST	53	58615	1.1.1.1	192.168.2.4
Oct 2, 2024 01:39:22.983652115 CEST	58615	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:39:22.984283924 CEST	58616	443	192.168.2.4	13.85.23.206
Oct 2, 2024 01:39:22.984328032 CEST	443	58616	13.85.23.206	192.168.2.4
Oct 2, 2024 01:39:22.984402895 CEST	58616	443	192.168.2.4	13.85.23.206
Oct 2, 2024 01:39:22.984819889 CEST	58616	443	192.168.2.4	13.85.23.206
Oct 2, 2024 01:39:22.984833002 CEST	443	58616	13.85.23.206	192.168.2.4
Oct 2, 2024 01:39:22.989461899 CEST	53	58615	1.1.1.1	192.168.2.4
Oct 2, 2024 01:39:22.989516020 CEST	58615	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:39:23.762379885 CEST	443	58616	13.85.23.206	192.168.2.4
Oct 2, 2024 01:39:23.762437105 CEST	58616	443	192.168.2.4	13.85.23.206
Oct 2, 2024 01:39:23.765954971 CEST	58616	443	192.168.2.4	13.85.23.206
Oct 2, 2024 01:39:23.765964985 CEST	443	58616	13.85.23.206	192.168.2.4
Oct 2, 2024 01:39:23.766164064 CEST	443	58616	13.85.23.206	192.168.2.4
Oct 2, 2024 01:39:23.774647951 CEST	58616	443	192.168.2.4	13.85.23.206
Oct 2, 2024 01:39:23.819408894 CEST	443	58616	13.85.23.206	192.168.2.4
Oct 2, 2024 01:39:24.220995903 CEST	443	58616	13.85.23.206	192.168.2.4
Oct 2, 2024 01:39:24.221060038 CEST	443	58616	13.85.23.206	192.168.2.4
Oct 2, 2024 01:39:24.221110106 CEST	58616	443	192.168.2.4	13.85.23.206
Oct 2, 2024 01:39:24.221195936 CEST	58616	443	192.168.2.4	13.85.23.206
Oct 2, 2024 01:39:24.221214056 CEST	443	58616	13.85.23.206	192.168.2.4
Oct 2, 2024 01:39:24.221224070 CEST	58616	443	192.168.2.4	13.85.23.206
Oct 2, 2024 01:39:24.221229076 CEST	443	58616	13.85.23.206	192.168.2.4
Oct 2, 2024 01:39:24.242065907 CEST	58617	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:24.242094040 CEST	443	58617	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:24.242182970 CEST	58617	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:24.242433071 CEST	58617	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:24.242445946 CEST	443	58617	20.12.23.50	192.168.2.4
Oct 2, 2024 01:39:24.832715034 CEST	58617	443	192.168.2.4	20.12.23.50
Oct 2, 2024 01:39:24.853506088 CEST	58618	443	192.168.2.4	13.85.23.86
Oct 2, 2024 01:39:24.853528023 CEST	443	58618	13.85.23.86	192.168.2.4
Oct 2, 2024 01:39:24.853589058 CEST	58618	443	192.168.2.4	13.85.23.86
Oct 2, 2024 01:39:24.854052067 CEST	58618	443	192.168.2.4	13.85.23.86
Oct 2, 2024 01:39:24.854063034 CEST	443	58618	13.85.23.86	192.168.2.4
Oct 2, 2024 01:39:25.568166971 CEST	443	58618	13.85.23.86	192.168.2.4
Oct 2, 2024 01:39:25.568229914 CEST	58618	443	192.168.2.4	13.85.23.86
Oct 2, 2024 01:39:25.570014000 CEST	58618	443	192.168.2.4	13.85.23.86
Oct 2, 2024 01:39:25.570019960 CEST	443	58618	13.85.23.86	192.168.2.4
Oct 2, 2024 01:39:25.570266962 CEST	443	58618	13.85.23.86	192.168.2.4
Oct 2, 2024 01:39:25.571146011 CEST	58618	443	192.168.2.4	13.85.23.86
Oct 2, 2024 01:39:25.615410089 CEST	443	58618	13.85.23.86	192.168.2.4
Oct 2, 2024 01:39:25.755577087 CEST	443	58618	13.85.23.86	192.168.2.4
Oct 2, 2024 01:39:25.755649090 CEST	443	58618	13.85.23.86	192.168.2.4
Oct 2, 2024 01:39:25.755700111 CEST	58618	443	192.168.2.4	13.85.23.86
Oct 2, 2024 01:39:25.758471966 CEST	58618	443	192.168.2.4	13.85.23.86
Oct 2, 2024 01:39:25.758481026 CEST	443	58618	13.85.23.86	192.168.2.4
Oct 2, 2024 01:39:27.634809971 CEST	58619	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:27.634875059 CEST	443	58619	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:27.634963036 CEST	58619	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:27.635447025 CEST	58619	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:27.635473013 CEST	443	58619	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:28.607852936 CEST	443	58619	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:28.607918024 CEST	58619	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:28.609350920 CEST	58619	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:28.609373093 CEST	443	58619	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:28.609622955 CEST	443	58619	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:28.610610962 CEST	58619	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:28.655400991 CEST	443	58619	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:29.903435946 CEST	443	58619	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:29.903461933 CEST	443	58619	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:29.903479099 CEST	443	58619	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:29.903539896 CEST	58619	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:29.903587103 CEST	443	58619	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:29.903656960 CEST	58619	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:29.904124975 CEST	443	58619	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:29.904175997 CEST	443	58619	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:29.904216051 CEST	58619	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:29.908556938 CEST	58619	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:29.908595085 CEST	443	58619	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:29.908611059 CEST	58619	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:29.908621073 CEST	443	58619	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:30.034097910 CEST	58620	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:30.034179926 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:30.034337997 CEST	58620	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:30.034648895 CEST	58620	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:30.034698963 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:30.842525005 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:30.842639923 CEST	58620	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:30.871256113 CEST	58620	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:30.871309996 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:30.871637106 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:30.872577906 CEST	58620	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:30.919409990 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:31.172852993 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:31.172873974 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:31.172888994 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:31.172939062 CEST	58620	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:31.172979116 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:31.173010111 CEST	58620	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:31.173032045 CEST	58620	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:31.174124956 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:31.174161911 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:31.174199104 CEST	58620	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:31.174206972 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:31.174218893 CEST	58620	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:31.174259901 CEST	58620	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:31.176246881 CEST	58620	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:31.176278114 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:39:31.176309109 CEST	58620	443	192.168.2.4	20.114.59.183
Oct 2, 2024 01:39:31.176322937 CEST	443	58620	20.114.59.183	192.168.2.4
Oct 2, 2024 01:40:01.389844894 CEST	58622	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:40:01.389873981 CEST	443	58622	142.250.184.196	192.168.2.4
Oct 2, 2024 01:40:01.389960051 CEST	58622	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:40:01.390228987 CEST	58622	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:40:01.390239954 CEST	443	58622	142.250.184.196	192.168.2.4
Oct 2, 2024 01:40:02.024976969 CEST	443	58622	142.250.184.196	192.168.2.4
Oct 2, 2024 01:40:02.025279999 CEST	58622	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:40:02.025298119 CEST	443	58622	142.250.184.196	192.168.2.4
Oct 2, 2024 01:40:02.025770903 CEST	443	58622	142.250.184.196	192.168.2.4
Oct 2, 2024 01:40:02.026063919 CEST	58622	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:40:02.026143074 CEST	443	58622	142.250.184.196	192.168.2.4
Oct 2, 2024 01:40:02.070966005 CEST	58622	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:40:11.925801039 CEST	443	58622	142.250.184.196	192.168.2.4
Oct 2, 2024 01:40:11.925889969 CEST	443	58622	142.250.184.196	192.168.2.4
Oct 2, 2024 01:40:11.925949097 CEST	58622	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:40:38.521982908 CEST	58622	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:40:38.522003889 CEST	443	58622	142.250.184.196	192.168.2.4
Oct 2, 2024 01:41:01.366132021 CEST	58624	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:41:01.366170883 CEST	443	58624	142.250.184.196	192.168.2.4
Oct 2, 2024 01:41:01.366275072 CEST	58624	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:41:01.366600037 CEST	58624	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:41:01.366612911 CEST	443	58624	142.250.184.196	192.168.2.4
Oct 2, 2024 01:41:01.998116970 CEST	443	58624	142.250.184.196	192.168.2.4
Oct 2, 2024 01:41:01.998501062 CEST	58624	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:41:01.998523951 CEST	443	58624	142.250.184.196	192.168.2.4
Oct 2, 2024 01:41:01.999648094 CEST	443	58624	142.250.184.196	192.168.2.4
Oct 2, 2024 01:41:01.999989986 CEST	58624	443	192.168.2.4	142.250.184.196
Oct 2, 2024 01:41:02.000164986 CEST	443	58624	142.250.184.196	192.168.2.4
Oct 2, 2024 01:41:02.049834013 CEST	58624	443	192.168.2.4	142.250.184.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 01:38:56.878489971 CEST	49472	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:38:56.878639936 CEST	55410	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:38:56.885113001 CEST	53	49472	1.1.1.1	192.168.2.4
Oct 2, 2024 01:38:56.886234045 CEST	53	51149	1.1.1.1	192.168.2.4
Oct 2, 2024 01:38:56.889461040 CEST	53	55410	1.1.1.1	192.168.2.4
Oct 2, 2024 01:38:56.903215885 CEST	53	61876	1.1.1.1	192.168.2.4
Oct 2, 2024 01:38:57.822614908 CEST	59651	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:38:57.822870016 CEST	49407	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:38:57.829503059 CEST	53	59651	1.1.1.1	192.168.2.4
Oct 2, 2024 01:38:57.829581022 CEST	53	49407	1.1.1.1	192.168.2.4
Oct 2, 2024 01:38:57.895142078 CEST	53	49358	1.1.1.1	192.168.2.4
Oct 2, 2024 01:39:01.239876986 CEST	52175	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:39:01.240008116 CEST	55676	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:39:01.246588945 CEST	53	55676	1.1.1.1	192.168.2.4
Oct 2, 2024 01:39:01.246602058 CEST	53	52175	1.1.1.1	192.168.2.4
Oct 2, 2024 01:39:03.274925947 CEST	53	54811	1.1.1.1	192.168.2.4
Oct 2, 2024 01:39:08.997390032 CEST	53	50790	1.1.1.1	192.168.2.4
Oct 2, 2024 01:39:14.935261011 CEST	53	58307	1.1.1.1	192.168.2.4
Oct 2, 2024 01:39:19.354760885 CEST	138	138	192.168.2.4	192.168.2.255
Oct 2, 2024 01:39:20.028331041 CEST	53	55094	1.1.1.1	192.168.2.4
Oct 2, 2024 01:39:22.511749029 CEST	53	59500	1.1.1.1	192.168.2.4
Oct 2, 2024 01:39:24.844906092 CEST	58482	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:39:24.851932049 CEST	53	58482	1.1.1.1	192.168.2.4
Oct 2, 2024 01:40:01.303844929 CEST	59036	53	192.168.2.4	1.1.1.1
Oct 2, 2024 01:40:01.388524055 CEST	53	59036	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 01:38:56.878489971 CEST	192.168.2.4	1.1.1.1	0x6a86	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:56.878639936 CEST	192.168.2.4	1.1.1.1	0x905	Standard query (0)	youtube.com	65	IN (0x0001)	false
Oct 2, 2024 01:38:57.822614908 CEST	192.168.2.4	1.1.1.1	0xce18	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.822870016 CEST	192.168.2.4	1.1.1.1	0x5375	Standard query (0)	www.youtube.com	65	IN (0x0001)	false
Oct 2, 2024 01:39:01.239876986 CEST	192.168.2.4	1.1.1.1	0xb125	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:39:01.240008116 CEST	192.168.2.4	1.1.1.1	0xfd4b	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 01:39:24.844906092 CEST	192.168.2.4	1.1.1.1	0x6d86	Standard query (0)	86.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Oct 2, 2024 01:40:01.303844929 CEST	192.168.2.4	1.1.1.1	0x7018	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 01:38:56.885113001 CEST	1.1.1.1	192.168.2.4	0x6a86	No error (0)	youtube.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:56.889461040 CEST	1.1.1.1	192.168.2.4	0x905	No error (0)	youtube.com			65	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829503059 CEST	1.1.1.1	192.168.2.4	0xce18	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829581022 CEST	1.1.1.1	192.168.2.4	0x5375	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 01:38:57.829581022 CEST	1.1.1.1	192.168.2.4	0x5375	No error (0)	youtube-ui.l.google.com			65	IN (0x0001)	false
Oct 2, 2024 01:39:01.246588945 CEST	1.1.1.1	192.168.2.4	0xfd4b	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 01:39:01.246602058 CEST	1.1.1.1	192.168.2.4	0xb125	No error (0)	www.google.com		142.250.184.196	A (IP address)	IN (0x0001)	false
Oct 2, 2024 01:39:24.851932049 CEST	1.1.1.1	192.168.2.4	0x6d86	Name error (3)	86.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Oct 2, 2024 01:40:01.388524055 CEST	1.1.1.1	192.168.2.4	0x7018	No error (0)	www.google.com		142.250.184.196	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

youtube.com

www.youtube.com

fs.microsoft.com

https:

www.google.com

slscr.update.microsoft.com

fe3cr.delivery.mp.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	50700	142.250.186.110	443	2996	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 23:38:57 UTC	851	OUT	GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1 Host: youtube.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 23:38:57 UTC	1726	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary X-Content-Type-Options: nosniff Expires: Tue, 01 Oct 2024 23:38:57 GMT Date: Tue, 01 Oct 2024 23:38:57 GMT Cache-Control: private, max-age=31536000 Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /cspreport Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	50705	142.250.185.174	443	2996	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 23:38:58 UTC	869	OUT	GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1 Host: www.youtube.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 23:38:58 UTC	2634	IN	HTTP/1.1 303 See Other Content-Type: application/binary X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 23:38:58 GMT Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Content-Security-Policy: require-trusted-types-for 'script' P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF Content-Length: 0 X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Wed, 02-Oct-2024 00:08:58 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=asj3AQFMlBM; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_INFO1_LIVE=IqqEKelRfeY; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 23:38:58 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgQQ%3D%3D; Domain=.youtube.com; Expires=Sun, 30-Mar-2025 23:38:58 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	50711	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 23:39:02 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 23:39:02 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=148008 Date: Tue, 01 Oct 2024 23:39:02 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	50714	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 23:39:03 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-10-01 23:39:03 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=147951 Date: Tue, 01 Oct 2024 23:39:03 GMT Content-Length: 55 Connection: close X-CID: 2
2024-10-01 23:39:03 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	50710	142.250.184.196	443	2996	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 23:39:04 UTC	1017	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.5938.132" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-01 23:39:04 UTC	706	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Tue, 01 Oct 2024 17:34:06 GMT Expires: Wed, 09 Oct 2024 17:34:06 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 21898 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 23:39:04 UTC	684	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-10-01 23:39:04 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<
2024-10-01 23:39:04 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-10-01 23:39:04 UTC	1390	IN	Data Raw: 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBBF!4I
2024-10-01 23:39:04 UTC	576	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	50722	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 23:39:14 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=bYMrBKnVbhn1Xtn&MD=5W1rvdZU HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 23:39:14 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 90912318-7c98-41f6-a9b5-7bb6844b9f17 MS-RequestId: 880099af-5a07-4dcf-973e-cce9f7683899 MS-CV: hKsaWnFrQUyYh0Ag.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 23:39:14 GMT Connection: close Content-Length: 24490
2024-10-01 23:39:14 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-01 23:39:14 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	58616	13.85.23.206	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 23:39:23 UTC	142	OUT	GET /clientwebservice/ping HTTP/1.1 Connection: Keep-Alive User-Agent: DNS resiliency checker/1.0 Host: fe3cr.delivery.mp.microsoft.com
2024-10-01 23:39:24 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 23:39:23 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	58618	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 23:39:25 UTC	124	OUT	GET /sls/ping HTTP/1.1 Connection: Keep-Alive User-Agent: DNS resiliency checker/1.0 Host: slscr.update.microsoft.com
2024-10-01 23:39:25 UTC	318	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 MS-CV: jmHrErZStkCnY1J3.0 MS-RequestId: 1ebcb212-5b14-4640-8a20-51eb7cd471e1 MS-CorrelationId: 8751ff25-6cca-4fa7-aafd-d5fd8f318f37 X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 23:39:25 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	58619	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 23:39:28 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=bYMrBKnVbhn1Xtn&MD=5W1rvdZU HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 23:39:29 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: eb80941f-07ad-4e35-89cb-b03aa45b62b7 MS-RequestId: 556d8f96-974b-4100-bde9-270d89dc9e26 MS-CV: NwaKwh9oHkOANc0v.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 23:39:28 GMT Connection: close Content-Length: 24490
2024-10-01 23:39:29 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-01 23:39:29 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	58620	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 23:39:30 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=bYMrBKnVbhn1Xtn&MD=5W1rvdZU HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 23:39:31 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: eaf88709-3121-499a-a3fc-4a4f3623a8c7 MS-RequestId: 2b3bca8c-170f-4fb4-8e0a-da38c3b158ce MS-CV: ftOyQaMVeEKUZQvN.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 23:39:30 GMT Connection: close Content-Length: 30005
2024-10-01 23:39:31 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-01 23:39:31 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	19:38:55
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xa30000
File size:	918'016 bytes
MD5 hash:	8A053C1EE0F0AD79E8CD1A0788741383
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:38:55
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --app="https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-features=CrashRecovery
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	19:38:55
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2012,i,1735080414500895824,7393849833326395272,262144 --disable-features=CrashRecovery /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	1431
Total number of Limit Nodes:	52

Executed Functions

Function 00A342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A3430D

Part of subcall function 00A36B57: _wcslen.LIBCMT ref: 00A36B6A

GetCurrentProcess.KERNEL32(?,00ACCB64,00000000,?,?), ref: 00A34422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00A34429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00A34454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A34466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00A34474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00A3447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00A344A0

Strings

kernel32.dll, xrefs: 00A3444F
|O, xrefs: 00A736F8
GetNativeSystemInfo, xrefs: 00A34460

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 13a1ed120ac3c13754136dbb5a0e941f792f89453d8d5ce34903c890f2498c16
Instruction ID: d10cef8ed80d8b9d4d384ec5b1b1d8b5a5483bb6cb05e5ab80ea1deb5d036807
Opcode Fuzzy Hash: 13a1ed120ac3c13754136dbb5a0e941f792f89453d8d5ce34903c890f2498c16
Instruction Fuzzy Hash: 80A1957290A2C0FFCB1DC7AD7C815957FE47B3A340F09DCA9E08597A62DA305909DB29

Function 00A342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00A350AA,?,?,00000000,00000000), ref: 00A342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A350AA,?,?,00000000,00000000), ref: 00A342C9
LoadResource.KERNEL32(?,00000000,?,?,00A350AA,?,?,00000000,00000000,?,?,?,?,?,?,00A34F20), ref: 00A735BE
SizeofResource.KERNEL32(?,00000000,?,?,00A350AA,?,?,00000000,00000000,?,?,?,?,?,?,00A34F20), ref: 00A735D3
LockResource.KERNEL32(00A350AA,?,?,00A350AA,?,?,00000000,00000000,?,?,?,?,?,?,00A34F20,?), ref: 00A735E6

Strings

SCRIPT, xrefs: 00A342BF

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8de3b97afd6b5ac29c013ded9ea6333aed372651aaf710dd1ed908820b8692a5
Instruction ID: 26942d125bea45043d055824e7a4d607bd75dfce8e5afdd561d7e9eceaf437b8
Opcode Fuzzy Hash: 8de3b97afd6b5ac29c013ded9ea6333aed372651aaf710dd1ed908820b8692a5
Instruction Fuzzy Hash: 81117C71200700BFDB219BAADC48FA77BBDEBCAB61F158169F41696650DB71EC018A20

Function 00A72BA5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00A32B6B

Part of subcall function 00A33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,(o,?,00A32E7F,?,?,?,00000000), ref: 00A33A78

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00AF2224), ref: 00A72C10
ShellExecuteW.SHELL32(00000000,?,?,00AF2224), ref: 00A72C17

Strings

(o, xrefs: 00A72BD9
runas, xrefs: 00A72C0B

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: (o$runas
API String ID: 448630720-1755454649
Opcode ID: 756943a86ef73b290e959126421173fed422081ff46a70358548714df4620b1e
Instruction ID: c4577c50c7d0a9235e75ed1e1677b1378e7b55e054214ec94dfe0aba782d6eab
Opcode Fuzzy Hash: 756943a86ef73b290e959126421173fed422081ff46a70358548714df4620b1e
Instruction Fuzzy Hash: EB11D63250C3456ACB08FF64DA56EBEBBA4AB91350F04582DF186571A2CF618A0ADB12

Function 00A9D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A9D501
Process32FirstW.KERNEL32(00000000,?), ref: 00A9D50F
Process32NextW.KERNEL32(00000000,?), ref: 00A9D52F
CloseHandle.KERNELBASE(00000000), ref: 00A9D5DC

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f336e0c1d174fd1b7ba4ef25d0505cbe2a9ac22fecad55e02b3f4e036d79ccde
Instruction ID: 92030ef733f2016aa4add1b54cb414e3b6b50c635e697f944d624108c4a7afc1
Opcode Fuzzy Hash: f336e0c1d174fd1b7ba4ef25d0505cbe2a9ac22fecad55e02b3f4e036d79ccde
Instruction Fuzzy Hash: 3E319C711083009FD700EF64C985AAFBBF8EFD9354F14092DF585861A1EB719A89CBA3

Function 00A9DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00A75222), ref: 00A9DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00A9DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00A9DBEE
FindClose.KERNEL32(00000000), ref: 00A9DBFA

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: fe755e14b696a1c62d35edc88e1ee9031a5b73f21ffe48b4bfc4abd046c691d3
Instruction ID: d2466f8b51edd9311e138dc8ce0b72cd6700de6647df4a32edd0e5d2ae83148e
Opcode Fuzzy Hash: fe755e14b696a1c62d35edc88e1ee9031a5b73f21ffe48b4bfc4abd046c691d3
Instruction Fuzzy Hash: F1F0A93081091067CA20ABB8EC0D8AA77AC9E02334B144702F83AC20E0EBB099968696

Function 00A54CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00A628E9,?,00A54CBE,00A628E9,00AF88B8,0000000C,00A54E15,00A628E9,00000002,00000000,?,00A628E9), ref: 00A54D09
TerminateProcess.KERNEL32(00000000,?,00A54CBE,00A628E9,00AF88B8,0000000C,00A54E15,00A628E9,00000002,00000000,?,00A628E9), ref: 00A54D10
ExitProcess.KERNEL32 ref: 00A54D22

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a70386c5fcb5fe97d18c4e40e0dc8f19e49dc7d5afb4136156c20c3940e8b1c2
Instruction ID: d9f02add53db5d88b358cb6ca3437ee8ce878744e5cc689603cf51732a8fbfde
Opcode Fuzzy Hash: a70386c5fcb5fe97d18c4e40e0dc8f19e49dc7d5afb4136156c20c3940e8b1c2
Instruction Fuzzy Hash: C3E0B632400148AFCF11AF94EE09E597B79FB45796B154018FC198B222CB3ADD87CA90

Function 00A3BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

0}, xrefs: 00A807CE

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: 0}
API String ID: 3964851224-2321931521
Opcode ID: 66a1ac979258759b2a4e2a0fbf1cd416e4d097cdb30c820577fa560bf962c913
Instruction ID: 9075de85e546b08945319cec1944bc7f31046a75659c3652abfc5740f28411f1
Opcode Fuzzy Hash: 66a1ac979258759b2a4e2a0fbf1cd416e4d097cdb30c820577fa560bf962c913
Instruction Fuzzy Hash: 11A24874A083419FD754DF28C880B2ABBF1BF89314F14896DF89A9B352D771E845CB92

Function 00ABAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00ABB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00ABB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00ABB1D4
_wcslen.LIBCMT ref: 00ABB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ABB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00ABB236
_wcslen.LIBCMT ref: 00ABB332

Part of subcall function 00AA05A7: GetStdHandle.KERNEL32(000000F6), ref: 00AA05C6

_wcslen.LIBCMT ref: 00ABB34B
_wcslen.LIBCMT ref: 00ABB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00ABB3B6
GetLastError.KERNEL32(00000000), ref: 00ABB407
CloseHandle.KERNEL32(?), ref: 00ABB439
CloseHandle.KERNEL32(00000000), ref: 00ABB44A
CloseHandle.KERNEL32(00000000), ref: 00ABB45C
CloseHandle.KERNEL32(00000000), ref: 00ABB46E
CloseHandle.KERNEL32(?), ref: 00ABB4E3

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: e6593e69e5c8ea0f3093e054f1388ed8bfcfb43584c3adffc2da32a6c1de5361
Instruction ID: a10104ddb8a34cd10b3f153741147cbc428f64103b1a7bc0eeba098386e3b7de
Opcode Fuzzy Hash: e6593e69e5c8ea0f3093e054f1388ed8bfcfb43584c3adffc2da32a6c1de5361
Instruction Fuzzy Hash: 87F1BF715143009FC724EF24C991BAEBBE5BF85314F14855DF8998B2A2CB71EC44CB62

Function 00A3D730 Relevance: 21.6, APIs: 14, Instructions: 616windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00A3D807
timeGetTime.WINMM ref: 00A3DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A3DB28
TranslateMessage.USER32(?), ref: 00A3DB7B
DispatchMessageW.USER32(?), ref: 00A3DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A3DB9F
Sleep.KERNEL32(0000000A), ref: 00A3DBB1

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 3dde554c0b3103dcbe31f3b3435fa853e76c650ce81174b9145c44353384c299
Instruction ID: 16100fc05b720c45c2af3f19c24db7ca9975624bd10ec7dabe22042bcdb5ca37
Opcode Fuzzy Hash: 3dde554c0b3103dcbe31f3b3435fa853e76c650ce81174b9145c44353384c299
Instruction Fuzzy Hash: 0F42BD70608341EFD728DF24D988BBABBE4BF85314F148A59F4A687291D770E845CB92

Function 00A32CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A32D07
RegisterClassExW.USER32(00000030), ref: 00A32D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A32D42
InitCommonControlsEx.COMCTL32(?), ref: 00A32D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A32D6F
LoadIconW.USER32(000000A9), ref: 00A32D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A32D94

Strings

+, xrefs: 00A32CF0
0, xrefs: 00A32CE9
TaskbarCreated, xrefs: 00A32D37
AutoIt v3 GUI, xrefs: 00A32D23

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e55f0ed0f63f7f7d50dacc560c95f90945444777d98bd4264c43a9e6e9ed2f33
Instruction ID: ce2b8de4482d8b423843116af4530f6104121302efe09d8d681043f3a38a377c
Opcode Fuzzy Hash: e55f0ed0f63f7f7d50dacc560c95f90945444777d98bd4264c43a9e6e9ed2f33
Instruction Fuzzy Hash: 4A21B2B5D01318AFDB00DFE8EC49B9DBBB8FB08710F01451AF615A72A0DBB145468F95

Function 00A7065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A7039A: CreateFileW.KERNELBASE(00000000,00000000,?,00A70704,?,?,00000000,?,00A70704,00000000,0000000C), ref: 00A703B7

GetLastError.KERNEL32 ref: 00A7076F
__dosmaperr.LIBCMT ref: 00A70776
GetFileType.KERNELBASE(00000000), ref: 00A70782
GetLastError.KERNEL32 ref: 00A7078C
__dosmaperr.LIBCMT ref: 00A70795
CloseHandle.KERNEL32(00000000), ref: 00A707B5
CloseHandle.KERNEL32(?), ref: 00A708FF
GetLastError.KERNEL32 ref: 00A70931
__dosmaperr.LIBCMT ref: 00A70938

Strings

H, xrefs: 00A708BD

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: da3f0f4001e5dda17288d55c99d8b8b093379d9d5dd543bd74634ba9e6867695
Instruction ID: 518ae976c7f91890e4d6f1c5ae539805a5fb275fa730a78eb89680915de8c3ae
Opcode Fuzzy Hash: da3f0f4001e5dda17288d55c99d8b8b093379d9d5dd543bd74634ba9e6867695
Instruction Fuzzy Hash: 4FA11232A101498FDF19EF68DC51BAE7BB0AB16320F14815DF81A9F392DB319812CB91

Function 00A3344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,(o,?,00A32E7F,?,?,?,00000000), ref: 00A33A78

Part of subcall function 00A33357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A33379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A3356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A7318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A731CE
RegCloseKey.ADVAPI32(?), ref: 00A73210
_wcslen.LIBCMT ref: 00A73277
_wcslen.LIBCMT ref: 00A73286

Strings

Include, xrefs: 00A73184, 00A731C5
\, xrefs: 00A7328C
\Include\, xrefs: 00A33527
Software\AutoIt v3\AutoIt, xrefs: 00A33560

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: a9677ece76e590ffca027a0fc8fe840dc31206808810111caaeb0958f9930b8c
Instruction ID: e057066d263ddf8e683dbe0dd30ce60081c58e9719687313045e4a817e0ddddd
Opcode Fuzzy Hash: a9677ece76e590ffca027a0fc8fe840dc31206808810111caaeb0958f9930b8c
Instruction Fuzzy Hash: 6F71B4724043009EC704EF65DD869ABBBE8FFA4350F40482EF549971A1EF749A4CCB56

Function 00A32B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A32B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00A32B9D
LoadIconW.USER32(00000063), ref: 00A32BB3
LoadIconW.USER32(000000A4), ref: 00A32BC5
LoadIconW.USER32(000000A2), ref: 00A32BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A32BEF
RegisterClassExW.USER32(?), ref: 00A32C40

Part of subcall function 00A32CD4: GetSysColorBrush.USER32(0000000F), ref: 00A32D07
Part of subcall function 00A32CD4: RegisterClassExW.USER32(00000030), ref: 00A32D31
Part of subcall function 00A32CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A32D42
Part of subcall function 00A32CD4: InitCommonControlsEx.COMCTL32(?), ref: 00A32D5F
Part of subcall function 00A32CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A32D6F
Part of subcall function 00A32CD4: LoadIconW.USER32(000000A9), ref: 00A32D85
Part of subcall function 00A32CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A32D94

Strings

0, xrefs: 00A32C0F
AutoIt v3, xrefs: 00A32C2F
#, xrefs: 00A32C16

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 2ed193f708c6df50d89efecdb1f630d96f6b71e77336a54e0fe1a35f3a5b90e7
Instruction ID: 1c95f1528496a6cfee61ec7ea741dddb55ab726b2c5c1e74d90fba060a387c80
Opcode Fuzzy Hash: 2ed193f708c6df50d89efecdb1f630d96f6b71e77336a54e0fe1a35f3a5b90e7
Instruction Fuzzy Hash: B1210771E00318BBDB18DFA9EC59AA97FF4FB58B50F04041AF505A76A0DBB14541CF98

Function 00A33170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00A3316A,?,?), ref: 00A331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00A3316A,?,?), ref: 00A33204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A33227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00A3316A,?,?), ref: 00A33232
CreatePopupMenu.USER32 ref: 00A33246
PostQuitMessage.USER32(00000000), ref: 00A33267

Strings

TaskbarCreated, xrefs: 00A3322D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 6baff048ed635a9fdb3d2d7834da026709099cabaea9acd27e8e7e3c8cb12621
Instruction ID: 04fceb19156d2f5e94928fc97db46edf55509ed15a218608871efad9919524c6
Opcode Fuzzy Hash: 6baff048ed635a9fdb3d2d7834da026709099cabaea9acd27e8e7e3c8cb12621
Instruction Fuzzy Hash: 75413933648200BBDF185BBC9D0DBBE3B69EB25350F048625F60A872E1DF718E4197A5

Function 00A31410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A31459
CoUninitialize.COMBASE ref: 00A314F8
UnregisterHotKey.USER32(?), ref: 00A316DD
DestroyWindow.USER32(?), ref: 00A724B9
FreeLibrary.KERNEL32(?), ref: 00A7251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A7254B

Strings

close all, xrefs: 00A31454

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 123a5d11490cbf6967d32155b0d56433a4f38646072f3d67be60703653f91679
Instruction ID: 76bb827d60ba87fad20dcfc4b604ebd5ae94113aa6872f351b6c16aec5070290
Opcode Fuzzy Hash: 123a5d11490cbf6967d32155b0d56433a4f38646072f3d67be60703653f91679
Instruction Fuzzy Hash: BED18A31701212CFCB29EF55C999B29F7A4BF45710F1582ADF44AAB252DB30AD12CF91

Function 00A310F3 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A31BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A31BF4
Part of subcall function 00A31BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A31BFC
Part of subcall function 00A31BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A31C07
Part of subcall function 00A31BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A31C12
Part of subcall function 00A31BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A31C1A
Part of subcall function 00A31BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A31C22

Part of subcall function 00A31B4A: RegisterWindowMessageW.USER32(00000004,?,00A312C4), ref: 00A31BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A3136A
OleInitialize.OLE32 ref: 00A31388
CloseHandle.KERNEL32(00000000,00000000), ref: 00A724AB

Strings

0m, xrefs: 00A31174
w, xrefs: 00A3116A
@, xrefs: 00A312A8

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: 0m$@$w
API String ID: 1986988660-1300000026
Opcode ID: 4affea0ee4bc8c229ebc708b6f0b99cbc1aa3ca1938f283977626c63fbb0265c
Instruction ID: dc3b8923a37744fe81719c099bf9afba8648c58f1fd0817f3da8f53f2a255217
Opcode Fuzzy Hash: 4affea0ee4bc8c229ebc708b6f0b99cbc1aa3ca1938f283977626c63fbb0265c
Instruction Fuzzy Hash: 4471A7B99113008EC38CEF7DAD45A593AE4BBB8354B548A6EE44ADB3B1EF308501CF50

Function 00A32C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A32C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A32CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A31CAD,?), ref: 00A32CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00A31CAD,?), ref: 00A32CCF

Strings

AutoIt v3, xrefs: 00A32C89, 00A32C8E, 00A32C8F
edit, xrefs: 00A32CAC

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 1a1d1f48c54375e2d7b6917c805162f1d03697864fe913d7a58de80a8c549fb4
Instruction ID: 2701f6c5434746ccf53c3079021e647270e577f00c78258a963b8f3b07b787d0
Opcode Fuzzy Hash: 1a1d1f48c54375e2d7b6917c805162f1d03697864fe913d7a58de80a8c549fb4
Instruction Fuzzy Hash: C6F05E755403907AEB30071BAC08F773EBDD7D6F60F01041EF904A35A0DA710841DAB8

Function 00A33923 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A733A2

Part of subcall function 00A36B57: _wcslen.LIBCMT ref: 00A36B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A33A04

Strings

hq, xrefs: 00A33986, 00A733C9
Line: , xrefs: 00A733EB

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line: $hq
API String ID: 2289894680-3145638631
Opcode ID: 3c5ddc06692f259539d80dab53e1bd6895abb9c44aed2bc65a2807759bc9114a
Instruction ID: ecf448c25cf6d2ba7074a59809463dab3af3e9b50d3ab6adb47ac9b84536dc35
Opcode Fuzzy Hash: 3c5ddc06692f259539d80dab53e1bd6895abb9c44aed2bc65a2807759bc9114a
Instruction Fuzzy Hash: CC31B27240C304AECB25EB24DC45BEBB7E8AB54714F00892EF59997091EF709A49C7C6

Function 00A33B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00A33B0F,SwapMouseButtons,00000004,?), ref: 00A33B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00A33B0F,SwapMouseButtons,00000004,?), ref: 00A33B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00A33B0F,SwapMouseButtons,00000004,?), ref: 00A33B83

Strings

Control Panel\Mouse, xrefs: 00A33B3E

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: d48ee9382e323b044a470425cafcd68347427f3be7202cbdf5d77e2b370561e1
Instruction ID: ac1c93e7d8132a7b76fcf8b99423779e83be3b6127b8be7e7157f81c410dc383
Opcode Fuzzy Hash: d48ee9382e323b044a470425cafcd68347427f3be7202cbdf5d77e2b370561e1
Instruction Fuzzy Hash: 10112AB6514208FFDF20CFA5DC44EAEB7B8EF04754F104459F806D7110E2719E419760

Function 00A4FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00A50668

Part of subcall function 00A532A4: RaiseException.KERNEL32(?,?,?,00A5068A,?,00B01444,?,?,?,?,?,?,00A5068A,00A31129,00AF8738,00A31129), ref: 00A53304

__CxxThrowException@8.LIBVCRUNTIME ref: 00A50685

Strings

Unknown exception, xrefs: 00A50692

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: c003f5252862ff3ddb3690e081c82456ab2eac92d1db83c47d832903937f6668
Instruction ID: eb45d6316092aa66c1158dab63148d8d0fdbd28641c419b71df59b61445e7a28
Opcode Fuzzy Hash: c003f5252862ff3ddb3690e081c82456ab2eac92d1db83c47d832903937f6668
Instruction Fuzzy Hash: 4CF0C23490060D7BCF00BBA4D946D9E776C7E80355B604531BD14D6992EFB1DA6DC590

Function 00A686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00A685CC,?,00AF8CC8,0000000C), ref: 00A68704
GetLastError.KERNEL32(?,00A685CC,?,00AF8CC8,0000000C), ref: 00A6870E
__dosmaperr.LIBCMT ref: 00A68739

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 18f7f9d4908a04d08058b7923704f21e4cbd78fbf96a92a663508d0f29694421
Instruction ID: bca22c5e6c5b5255f80f1c37a705d1683d3d7e2a651e24f9b427fd6fbe16676e
Opcode Fuzzy Hash: 18f7f9d4908a04d08058b7923704f21e4cbd78fbf96a92a663508d0f29694421
Instruction Fuzzy Hash: D3014936A056602AD634A334E945B7E677D4B92F74F390319F9198F2D2DEB8CC819190

Function 00A41310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A417F6

Strings

CALL, xrefs: 00A417C6

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 32d11c3e378db1234f3d973caf37c7015f4d21443c0187c21888636200efacc4
Instruction ID: a40992f826080eb8bf5102fea8cbe818420948c3cca0b9c7850cece731e1d7b9
Opcode Fuzzy Hash: 32d11c3e378db1234f3d973caf37c7015f4d21443c0187c21888636200efacc4
Instruction Fuzzy Hash: 422279786082019FD714DF14C984B2ABBF1BFC9314F24896DF4968B3A2D771E885CB92

Function 00A34ECB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A34E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A34EDD,?,(o,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A34E9C
Part of subcall function 00A34E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A34EAE
Part of subcall function 00A34E90: FreeLibrary.KERNEL32(00000000,?,?,00A34EDD,?,(o,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A34EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,(o,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A34EFD

Part of subcall function 00A34E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A73CDE,?,(o,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A34E62
Part of subcall function 00A34E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A34E74
Part of subcall function 00A34E59: FreeLibrary.KERNEL32(00000000,?,?,00A73CDE,?,(o,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A34E87

Strings

(o, xrefs: 00A34ED1

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID: (o
API String ID: 2632591731-551919190
Opcode ID: 2f9175cee4b1418129ddeb04d4f5cdc5b10272d20580ccac3e0e60e2d35fb392
Instruction ID: da569b2ddda1cc9d93f79de61f35c88825e2c955cad6064f52cae49a6c3e668c
Opcode Fuzzy Hash: 2f9175cee4b1418129ddeb04d4f5cdc5b10272d20580ccac3e0e60e2d35fb392
Instruction Fuzzy Hash: 3A11E332600305AACF18FBB4DE02FED77A5AF48B11F24842DF546A61C1EE74AA099B50

Function 00A32DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00A72C8C

Part of subcall function 00A33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A33A97,?,?,00A32E7F,?,?,?,00000000), ref: 00A33AC2

Part of subcall function 00A32DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A32DC4

Strings

X, xrefs: 00A72C5A

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 9a49cd0a8f51cf95b53e0e94ba198f1659210d1cc8fb179320cb5456da2696ee
Instruction ID: f40c21f1d21deb3c659886e53f4f01500d9e20b742483a834ed4c90e987a755f
Opcode Fuzzy Hash: 9a49cd0a8f51cf95b53e0e94ba198f1659210d1cc8fb179320cb5456da2696ee
Instruction Fuzzy Hash: 0C219371A002589FCB01EF94C949BEE7BF8AF49315F008059F509A7241DBB45A898FA1

Function 00A33837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A33908

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: b89c16f786b85caa7f8f97e904cb4e70a97525fc2a8d1b8943409190d8759d3d
Instruction ID: 2a5d416d8669d8884c7a2f4732902f55e448b2ec7af1ede16f4415e942b47d5f
Opcode Fuzzy Hash: b89c16f786b85caa7f8f97e904cb4e70a97525fc2a8d1b8943409190d8759d3d
Instruction Fuzzy Hash: A7319171608701DFDB20DF64D98479BBBE8FB49719F00092EF59A87280E771AA44CB92

Function 00A68402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00A68440

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: bcff91c1ae48a645a419bf5ccfd115ac9280cedadee011958d87fddf042a2842
Instruction ID: c51a656d03c92643c5e2cb872eddb049629baed5b961b27bbc328168b587df5b
Opcode Fuzzy Hash: bcff91c1ae48a645a419bf5ccfd115ac9280cedadee011958d87fddf042a2842
Instruction Fuzzy Hash: 8811187590410AAFCB05DF58E945A9A7BF9EF48314F108199F808AB312DA31DA11CBA5

Function 00A65000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A64C7D: RtlAllocateHeap.NTDLL(00000008,00A31129,00000000,?,00A62E29,00000001,00000364,?,?,?,00A5F2DE,00A63863,00B01444,?,00A4FDF5,?), ref: 00A64CBE

_free.LIBCMT ref: 00A6506C

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 35ce37f4ed0f92970bc809e56dcea7f155715cc2ae08a94fcd82440493cfde53
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 970126726047056FE3218F65D885A5AFBF8FB89370F26052DE19483280EA30A905C7B4

Function 00A5E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1f338b71070755820799b8c78c0f51e87c2062026586d75bca510f148c95c2a2
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 14F02832511E109AD7357B79CE05B5A33ADBFA23B3F100B15FC21935D2CB74D90A86A5

Function 00A64C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00A31129,00000000,?,00A62E29,00000001,00000364,?,?,?,00A5F2DE,00A63863,00B01444,?,00A4FDF5,?), ref: 00A64CBE

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c807a58908d871f8393eefa04aa9b82a39f594038ede757a10404d07f7fbbafe
Instruction ID: 2cfd34ce2a7def85cc8a5c4d4e49e06baa7c1fcb40c74c02348accb30a11ccf2
Opcode Fuzzy Hash: c807a58908d871f8393eefa04aa9b82a39f594038ede757a10404d07f7fbbafe
Instruction Fuzzy Hash: FCF0E93160772467DB215F679D09F5A37B8BF897B1B154111FC19E7380CA30D80186E0

Function 00A63820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00B01444,?,00A4FDF5,?,?,00A3A976,00000010,00B01440,00A313FC,?,00A313C6,?,00A31129), ref: 00A63852

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8a92b021aa567b7a551b3e084acd36a14ae338ed43c0b33bf94ce5ea98f6c0e7
Instruction ID: e04755c5f48f80a11f0eecaeb04d458c060af5f1edaca80f3a45b95067ef613b
Opcode Fuzzy Hash: 8a92b021aa567b7a551b3e084acd36a14ae338ed43c0b33bf94ce5ea98f6c0e7
Instruction Fuzzy Hash: 77E06533102324AAEE212BB79D05BDA3679AB427B1F150121BD15975D1DB21DD0382E1

Function 00A34F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,(o,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A34F6D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b59b910bf148b9b60351285bf00c0d3d7a9bda91d5fc6987301fff42a12ea264
Instruction ID: 8d55925f86f7426d5dcc39e0100d6c768d1f6ce599c24e584af1d673e85e1c28
Opcode Fuzzy Hash: b59b910bf148b9b60351285bf00c0d3d7a9bda91d5fc6987301fff42a12ea264
Instruction Fuzzy Hash: 17F03971105752CFDB389F65D590822BBF4FF187297288ABEF1EA82621C731A848DF10

Function 00A330F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A3314E

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: afa8f96e20be61c89b9c47c025e51db163ab4226fb42fa2b8a2f1aff36e48482
Instruction ID: 561f33f1036f02729667503f9d9a29351aab82fc9b898cdb58092b966e8b9156
Opcode Fuzzy Hash: afa8f96e20be61c89b9c47c025e51db163ab4226fb42fa2b8a2f1aff36e48482
Instruction Fuzzy Hash: 3BF0A770904304AFEB56DB24DC497D57BBCA701708F0000E5A54897181DB704788CF55

Function 00A32DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A32DC4

Part of subcall function 00A36B57: _wcslen.LIBCMT ref: 00A36B6A

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: cea98dfca1685a0dab129926fb01a32d0973e5516d5d5c843a21c7da9b587ca5
Instruction ID: 8709826ccaa840a02c6d04573a41b20664a2e8ae21457b45c6d9530279e63974
Opcode Fuzzy Hash: cea98dfca1685a0dab129926fb01a32d0973e5516d5d5c843a21c7da9b587ca5
Instruction Fuzzy Hash: 6DE0CD72A001246BC710E7989C05FDA77DDDFC8790F054071FD0DD7248E960AD808650

Function 00A32B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A33837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A33908

Part of subcall function 00A3D730: GetInputState.USER32 ref: 00A3D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00A32B6B

Part of subcall function 00A330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A3314E

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 4b43727202f22c3628825cbbe76569e3cf3423b0c4ff01c6841b51cfce712b6a
Instruction ID: 3d670311dd4fdd9929f87c160d18e1290cdb0aebe947fc8b6c040db7cddf4da1
Opcode Fuzzy Hash: 4b43727202f22c3628825cbbe76569e3cf3423b0c4ff01c6841b51cfce712b6a
Instruction Fuzzy Hash: 00E0CD3370824407CE0CFB74A95257DF7599BD1361F40197EF146472B3CF6485454752

Function 00A7039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00A70704,?,?,00000000,?,00A70704,00000000,0000000C), ref: 00A703B7

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9d268919ccfe51941c5d87c0070fa9309df925cccfd0dc00a9018af19c2a3037
Instruction ID: a684e3f17b62faaefc5ac8b813d82e4c689da8fa5479adf0442f53b11bc74a8b
Opcode Fuzzy Hash: 9d268919ccfe51941c5d87c0070fa9309df925cccfd0dc00a9018af19c2a3037
Instruction Fuzzy Hash: 6ED06C3204010DBBDF028F85DD06EDA3BAAFB48714F014100FE1856020C732E822AB90

Function 00A31CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00A31CBC

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 88d96584f53568c448fbaed27e6b7be55c06f01b9740567995cd84a276fcd926
Instruction ID: 4f7a8e3b77412b0a0693c92ccbfaf70c8d308f5988cedb3273d22b4d397b5f10
Opcode Fuzzy Hash: 88d96584f53568c448fbaed27e6b7be55c06f01b9740567995cd84a276fcd926
Instruction Fuzzy Hash: 85C092362C0308AFF3188BC4BC4FF107764A368B10F048401F60DAA5E3CBA22822EA58

Non-executed Functions

Function 00AC9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A49BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00AC961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AC965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00AC969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AC96C9
SendMessageW.USER32 ref: 00AC96F2
GetKeyState.USER32(00000011), ref: 00AC978B
GetKeyState.USER32(00000009), ref: 00AC9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AC97AE
GetKeyState.USER32(00000010), ref: 00AC97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AC97E9
SendMessageW.USER32 ref: 00AC9810
SendMessageW.USER32(?,00001030,?,00AC7E95), ref: 00AC9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00AC992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00AC9941
SetCapture.USER32(?), ref: 00AC994A
ClientToScreen.USER32(?,?), ref: 00AC99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00AC99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AC99D6
ReleaseCapture.USER32 ref: 00AC99E1
GetCursorPos.USER32(?), ref: 00AC9A19
ScreenToClient.USER32(?,?), ref: 00AC9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00AC9A80
SendMessageW.USER32 ref: 00AC9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00AC9AEB
SendMessageW.USER32 ref: 00AC9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00AC9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00AC9B4A
GetCursorPos.USER32(?), ref: 00AC9B68
ScreenToClient.USER32(?,?), ref: 00AC9B75
GetParent.USER32(?), ref: 00AC9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00AC9BFA
SendMessageW.USER32 ref: 00AC9C2B
ClientToScreen.USER32(?,?), ref: 00AC9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00AC9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00AC9CDE
SendMessageW.USER32 ref: 00AC9D01
ClientToScreen.USER32(?,?), ref: 00AC9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00AC9D82

Part of subcall function 00A49944: GetWindowLongW.USER32(?,000000EB), ref: 00A49952

GetWindowLongW.USER32(?,000000F0), ref: 00AC9E05

Strings

F, xrefs: 00AC9D07
0}, xrefs: 00AC9990
@GUI_DRAGID, xrefs: 00AC997D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: 0}$@GUI_DRAGID$F
API String ID: 3429851547-2756061607
Opcode ID: 96f45b8799e9683748e1237c47f4207685a60a4d22192fbf1a1d92dbe1d3ecf0
Instruction ID: b71e325c5b4363cd6b983381d2ab6833dff7a99a9f6e609b9894247eabdd8fdc
Opcode Fuzzy Hash: 96f45b8799e9683748e1237c47f4207685a60a4d22192fbf1a1d92dbe1d3ecf0
Instruction Fuzzy Hash: B9427A35204201AFDB25CF68CD48FABBBE5FF48320F120A1DF699972A1D731A961CB51

Function 00AC4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00AC48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00AC4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00AC4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00AC494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00AC495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00AC497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00AC49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00AC49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00AC4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00AC4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00AC4A7E
IsMenu.USER32(?), ref: 00AC4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AC4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AC4B20
GetWindowLongW.USER32(?,000000F0), ref: 00AC4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00AC4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00AC4C82
wsprintfW.USER32 ref: 00AC4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AC4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00AC4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AC4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AC4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00AC4D5A

Strings

%d/%02d/%02d, xrefs: 00AC4CA8

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 49b3ccfab3007586c890eb9052635040170d782c51fccbda98c1a5ae8e6d0e98
Instruction ID: c8fa5fa367e2e0a6557c9f2c9e00cb707ba018486541e47776d370b30995a30e
Opcode Fuzzy Hash: 49b3ccfab3007586c890eb9052635040170d782c51fccbda98c1a5ae8e6d0e98
Instruction Fuzzy Hash: 6F121F31600214ABEB258F68CD59FAE7BF8EF48710F11412DF51AEB2E0DB789941CB54

Function 00A4F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00A4F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A8F474
IsIconic.USER32(00000000), ref: 00A8F47D
ShowWindow.USER32(00000000,00000009), ref: 00A8F48A
SetForegroundWindow.USER32(00000000), ref: 00A8F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A8F4AA
GetCurrentThreadId.KERNEL32 ref: 00A8F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A8F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A8F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A8F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00A8F4DE
SetForegroundWindow.USER32(00000000), ref: 00A8F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A8F4F6
keybd_event.USER32(00000012,00000000), ref: 00A8F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A8F50B
keybd_event.USER32(00000012,00000000), ref: 00A8F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A8F519
keybd_event.USER32(00000012,00000000), ref: 00A8F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A8F528
keybd_event.USER32(00000012,00000000), ref: 00A8F52D
SetForegroundWindow.USER32(00000000), ref: 00A8F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00A8F557

Strings

Shell_TrayWnd, xrefs: 00A8F46F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9bb78a5ed89befa986c57be0628c5568763464e541ed3e7cc29184fa320006f9
Instruction ID: 66623d11068d78d66e5baab2eeae31a85be8a7a9f0ff71c909728f5093b63700
Opcode Fuzzy Hash: 9bb78a5ed89befa986c57be0628c5568763464e541ed3e7cc29184fa320006f9
Instruction Fuzzy Hash: 52315471A8021CBFEB20ABF55C4AFBF7E6CEB44B60F110066F605E61D1C6B55D01AB60

Function 00A91201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00A916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A9170D
Part of subcall function 00A916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A9173A
Part of subcall function 00A916C3: GetLastError.KERNEL32 ref: 00A9174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00A91286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00A912A8
CloseHandle.KERNEL32(?), ref: 00A912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A912D1
GetProcessWindowStation.USER32 ref: 00A912EA
SetProcessWindowStation.USER32(00000000), ref: 00A912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A91310

Part of subcall function 00A910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A911FC), ref: 00A910D4
Part of subcall function 00A910BF: CloseHandle.KERNEL32(?,?,00A911FC), ref: 00A910E9

Strings

default, xrefs: 00A9130B
winsta0, xrefs: 00A912CC
, xrefs: 00A9125A

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: e7cb875de3077768b4d5b66140c6d40efdc8a76a88e55f9a232f802c1e80d6b9
Instruction ID: 65799634f90a482a9916f90867101e3e203a5a38e025872a923cb8d3c1cac22a
Opcode Fuzzy Hash: e7cb875de3077768b4d5b66140c6d40efdc8a76a88e55f9a232f802c1e80d6b9
Instruction Fuzzy Hash: 32819FB1A0020AAFEF11DFA8DD49FEE7BF9EF48714F144129FA15A61A0D7318945CB20

Function 00A90B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A91114
Part of subcall function 00A910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A90B9B,?,?,?), ref: 00A91120
Part of subcall function 00A910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A90B9B,?,?,?), ref: 00A9112F
Part of subcall function 00A910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A90B9B,?,?,?), ref: 00A91136
Part of subcall function 00A910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A90BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A90C00
GetLengthSid.ADVAPI32(?), ref: 00A90C17
GetAce.ADVAPI32(?,00000000,?), ref: 00A90C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A90C6D
GetLengthSid.ADVAPI32(?), ref: 00A90C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A90C8C
HeapAlloc.KERNEL32(00000000), ref: 00A90C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A90CB4
CopySid.ADVAPI32(00000000), ref: 00A90CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A90CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A90D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A90D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A90D45
HeapFree.KERNEL32(00000000), ref: 00A90D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A90D55
HeapFree.KERNEL32(00000000), ref: 00A90D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A90D65
HeapFree.KERNEL32(00000000), ref: 00A90D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A90D78
HeapFree.KERNEL32(00000000), ref: 00A90D7F

Part of subcall function 00A91193: GetProcessHeap.KERNEL32(00000008,00A90BB1,?,00000000,?,00A90BB1,?), ref: 00A911A1
Part of subcall function 00A91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A90BB1,?), ref: 00A911A8
Part of subcall function 00A91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A90BB1,?), ref: 00A911B7

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c784711f099f3db7ad12fc1f0d7444f384937f9814125467d34b3340739e91c7
Instruction ID: 40c6772bd2ee2f3c242bd098a2c3df923d9de2f7fc13c8ca7b42decf1101063a
Opcode Fuzzy Hash: c784711f099f3db7ad12fc1f0d7444f384937f9814125467d34b3340739e91c7
Instruction Fuzzy Hash: BB717B72A0021AEFDF10DFE5DC44FAEBBBCBF04354F054615E918A6291DB71A906CBA0

Function 00AAEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00ACCC08), ref: 00AAEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00AAEB37
GetClipboardData.USER32(0000000D), ref: 00AAEB43
CloseClipboard.USER32 ref: 00AAEB4F
GlobalLock.KERNEL32(00000000), ref: 00AAEB87
CloseClipboard.USER32 ref: 00AAEB91
GlobalUnlock.KERNEL32(00000000), ref: 00AAEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00AAEBC9
GetClipboardData.USER32(00000001), ref: 00AAEBD1
GlobalLock.KERNEL32(00000000), ref: 00AAEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00AAEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00AAEC38
GetClipboardData.USER32(0000000F), ref: 00AAEC44
GlobalLock.KERNEL32(00000000), ref: 00AAEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00AAEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00AAEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00AAECD2
GlobalUnlock.KERNEL32(00000000), ref: 00AAECF3
CountClipboardFormats.USER32 ref: 00AAED14
CloseClipboard.USER32 ref: 00AAED59

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: cec39d941a858a19149c1b0655344d241b040ed88e44194cb1621f6c95447064
Instruction ID: 0eb7155e1fe4e89ee605e315b86dc08cbf3789fed24a7283767de8438fce2168
Opcode Fuzzy Hash: cec39d941a858a19149c1b0655344d241b040ed88e44194cb1621f6c95447064
Instruction Fuzzy Hash: 8361DF35204301AFD300EF64D988F6AB7E8AF85724F15851DF45A9B2E2CB71DD46CBA2

Function 00AA698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AA69BE
FindClose.KERNEL32(00000000), ref: 00AA6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AA6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AA6A75

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00AA6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00AA6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00AA6B32
%02d, xrefs: 00AA6C00, 00AA6C0A, 00AA6C5A, 00AA6CAA, 00AA6CFA, 00AA6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00AA6B6A
%4d, xrefs: 00AA6BB1
%03d, xrefs: 00AA6DA2

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 249822d4e7079f1eb27c39dd3f1c734999143cf527ca758874d4a4de3fddf004
Instruction ID: 4c40d36e5144d0bfe89136b8706aaff09b46a5a8fe6b0164970d2cf9e4da54b4
Opcode Fuzzy Hash: 249822d4e7079f1eb27c39dd3f1c734999143cf527ca758874d4a4de3fddf004
Instruction Fuzzy Hash: 1FD15EB2508300AFC714EBA4C985EAFB7ECAF89704F44491DF589D7191EB74DA44CB62

Function 00AA9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00AA9663
GetFileAttributesW.KERNEL32(?), ref: 00AA96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00AA96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00AA96D3
FindClose.KERNEL32(00000000), ref: 00AA96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00AA96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00AA974A
SetCurrentDirectoryW.KERNEL32(00AF6B7C), ref: 00AA9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AA9772
FindClose.KERNEL32(00000000), ref: 00AA977F
FindClose.KERNEL32(00000000), ref: 00AA978F

Strings

*.*, xrefs: 00AA96F5

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e05f03c20beea7f14414e7b741815a4e1ac81cf78233fdc797bfc64071703151
Instruction ID: 686ff9576babbd0d90906cbebea33133c52f1d1108361c91154e59fc5ba32e76
Opcode Fuzzy Hash: e05f03c20beea7f14414e7b741815a4e1ac81cf78233fdc797bfc64071703151
Instruction Fuzzy Hash: F331C2329406197ADB14EFF4EC08EEF77ACAF4A361F114155F909E31D0EB30D9458A20

Function 00AA979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00AA97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00AA9819
FindClose.KERNEL32(00000000), ref: 00AA9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00AA9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00AA9890
SetCurrentDirectoryW.KERNEL32(00AF6B7C), ref: 00AA98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AA98B8
FindClose.KERNEL32(00000000), ref: 00AA98C5
FindClose.KERNEL32(00000000), ref: 00AA98D5

Part of subcall function 00A9DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A9DB00

Strings

*.*, xrefs: 00AA983B

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 121af262800dd4c15c7a2002b784bc5ba46a1f183c4f805f28c741b1e7d8626b
Instruction ID: 6b831208076c94c1143cf7b292e4763fc1ec4663e6ae138fc73af61ebf768cd0
Opcode Fuzzy Hash: 121af262800dd4c15c7a2002b784bc5ba46a1f183c4f805f28c741b1e7d8626b
Instruction Fuzzy Hash: 3B31B0325406197ADB10EFF4EC48EEF77ACAF0B360F114555E914A31D0DB38DA858B60

Function 00ABBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ABB6AE,?,?), ref: 00ABC9B5
Part of subcall function 00ABC998: _wcslen.LIBCMT ref: 00ABC9F1
Part of subcall function 00ABC998: _wcslen.LIBCMT ref: 00ABCA68
Part of subcall function 00ABC998: _wcslen.LIBCMT ref: 00ABCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ABBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00ABBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00ABBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00ABC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00ABC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00ABC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00ABC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00ABC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00ABC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00ABC382
RegCloseKey.ADVAPI32(00000000), ref: 00ABC38F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 344177fbcfb2ed4821a9f38f7f2fa6451893247737bef5159768e78a3e14f22a
Instruction ID: 22dc23b3be17b357295394b6ed12689f927fb99b583a43f4efff5a45f10ed094
Opcode Fuzzy Hash: 344177fbcfb2ed4821a9f38f7f2fa6451893247737bef5159768e78a3e14f22a
Instruction Fuzzy Hash: 3C024C71604200AFD714DF28C991E6ABBE9AF89314F58849DF84ADF2A2D731EC46CB51

Function 00AA8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00AA8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00AA8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AA8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AA8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00AA8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00AA8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AA838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00AA8395

Strings

*.*, xrefs: 00AA839B

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 5fe9252341888d995dd14b44876c69463a10ebbca7b602466c37a917300f91ea
Instruction ID: 90c4204ef87b0c354076bc990ce42a2758c1098fb9de923509d6a9eb75ded0c4
Opcode Fuzzy Hash: 5fe9252341888d995dd14b44876c69463a10ebbca7b602466c37a917300f91ea
Instruction Fuzzy Hash: 6E616C725043459FCB10EF64C9409AFB3E8FF89314F04891EF99997291EB35E949CBA2

Function 00A9D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A33A97,?,?,00A32E7F,?,?,?,00000000), ref: 00A33AC2

Part of subcall function 00A9E199: GetFileAttributesW.KERNEL32(?,00A9CF95), ref: 00A9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A9D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00A9D1DD
MoveFileW.KERNEL32(?,?), ref: 00A9D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A9D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A9D237

Part of subcall function 00A9D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00A9D21C,?,?), ref: 00A9D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00A9D253
FindClose.KERNEL32(00000000), ref: 00A9D264

Strings

\*.*, xrefs: 00A9D0CD, 00A9D0D6, 00A9D0EB

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: c6816b6fd8d44415bbc009ec201662d9fda992cdb1b333f34ef813828a8e4511
Instruction ID: 7d620cf5ada958b76d5695de26f47d3ffa88a5164d630b893705bf052e6c393f
Opcode Fuzzy Hash: c6816b6fd8d44415bbc009ec201662d9fda992cdb1b333f34ef813828a8e4511
Instruction Fuzzy Hash: 3C616A31D0510DABCF05EBE0DA929EEB7B5AF55300F204169F446771A2EB31AF49CB61

Function 00AAED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00AAED91
EmptyClipboard.USER32 ref: 00AAED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00AAEDAC
CloseClipboard.USER32 ref: 00AAEEA3

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1a3bc8ea7b3cdb7a325415aecda788a0fef0fb574c0fcf504319a695f66ea1a4
Instruction ID: f8bafdcb1c7fae3f5dc2ca6ef347792db553c817f2ed1d96cd4c9ae2ff4b2761
Opcode Fuzzy Hash: 1a3bc8ea7b3cdb7a325415aecda788a0fef0fb574c0fcf504319a695f66ea1a4
Instruction Fuzzy Hash: A941BC35204611AFE720DF59D888F19BBE5FF45329F15C09DE42A8B6A2C735EC42CB90

Function 00A9E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A9170D
Part of subcall function 00A916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A9173A
Part of subcall function 00A916C3: GetLastError.KERNEL32 ref: 00A9174A

ExitWindowsEx.USER32(?,00000000), ref: 00A9E932

Strings

, xrefs: 00A9E95C
, xrefs: 00A9E920
SeShutdownPrivilege, xrefs: 00A9E902
@, xrefs: 00A9E925

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d5e25ce8d56e4df68316b2eaf847d0e94c55a602c5866a3ab72397a02e3aed84
Instruction ID: 56e0f759199a685066d72737bb3abe1547f1140bbbdfa3384959ad87d52f7755
Opcode Fuzzy Hash: d5e25ce8d56e4df68316b2eaf847d0e94c55a602c5866a3ab72397a02e3aed84
Instruction Fuzzy Hash: 8001F972B10215AFEF54E7B49D86FBFB2ECA714B60F150821FD13E21D3D9A15C418190

Function 00AB1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00AB1276
WSAGetLastError.WSOCK32 ref: 00AB1283
bind.WSOCK32(00000000,?,00000010), ref: 00AB12BA
WSAGetLastError.WSOCK32 ref: 00AB12C5
closesocket.WSOCK32(00000000), ref: 00AB12F4
listen.WSOCK32(00000000,00000005), ref: 00AB1303
WSAGetLastError.WSOCK32 ref: 00AB130D
closesocket.WSOCK32(00000000), ref: 00AB133C

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 319629f2a64befe7abb006340e2ef73a12c9b75683afeefcfced23194de908eb
Instruction ID: 8a0eecdd56165925c3dcee699a5a6dd2fd751bc1187593d53687967552f86631
Opcode Fuzzy Hash: 319629f2a64befe7abb006340e2ef73a12c9b75683afeefcfced23194de908eb
Instruction Fuzzy Hash: BB4184716001009FD710DF64C594BAABBE9BF46328F598198E8569F293C771ED82CBE1

Function 00A9D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A33A97,?,?,00A32E7F,?,?,?,00000000), ref: 00A33AC2

Part of subcall function 00A9E199: GetFileAttributesW.KERNEL32(?,00A9CF95), ref: 00A9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00A9D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A9D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A9D481
FindClose.KERNEL32(00000000), ref: 00A9D498
FindClose.KERNEL32(00000000), ref: 00A9D4A1

Strings

\*.*, xrefs: 00A9D3F2

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 155342cc440e259bdb8a9c60b8d40bd488ed66e008f6086ea7c8741e7b6d4bcf
Instruction ID: faa09e90ae9e6a0b52f90948321e9f171675eea9b6823f942abecbf061142ca5
Opcode Fuzzy Hash: 155342cc440e259bdb8a9c60b8d40bd488ed66e008f6086ea7c8741e7b6d4bcf
Instruction Fuzzy Hash: 87316C7100C345ABC704EFA4DA919AFB7E8BEE1314F444A1DF4D5931A1EB30AA49CB63

Function 00A6E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00A6E645

Strings

1#INF, xrefs: 00A6F852
1#QNAN, xrefs: 00A6F84B
1#SNAN, xrefs: 00A6F844
1#IND, xrefs: 00A6F83D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 554d004ff2d087de38442b006dd579c06765811b41e98ddfa260d1b71c6097a8
Instruction ID: 194b9f25ca0c04dd5dbc5855fd2668b7cdfd74ffdf5127293103f951e21980b6
Opcode Fuzzy Hash: 554d004ff2d087de38442b006dd579c06765811b41e98ddfa260d1b71c6097a8
Instruction Fuzzy Hash: 5FC24876E086288FDB25CF28DD407EAB7B5EB48305F1541EAD84EE7240E775AE858F40

Function 00AA648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AA64DC
CoInitialize.OLE32(00000000), ref: 00AA6639
CoCreateInstance.OLE32(00ACFCF8,00000000,00000001,00ACFB68,?), ref: 00AA6650
CoUninitialize.OLE32 ref: 00AA68D4

Strings

.lnk, xrefs: 00AA64BA, 00AA6524, 00AA65E0

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 5f3f83910e4bef316b101afab37c7b6bdca93fbfb88726d22691793d48a18485
Instruction ID: 202fdedd414755520795814b866210de8155d5ddcd1c4bbcbcc032f513a6db4c
Opcode Fuzzy Hash: 5f3f83910e4bef316b101afab37c7b6bdca93fbfb88726d22691793d48a18485
Instruction Fuzzy Hash: 2BD13671508301AFC314EF24C981E6BB7E9FF99704F14496DF5958B2A1EB70E909CB92

Function 00AB22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00AB22E8

Part of subcall function 00AAE4EC: GetWindowRect.USER32(?,?), ref: 00AAE504

GetDesktopWindow.USER32 ref: 00AB2312
GetWindowRect.USER32(00000000), ref: 00AB2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00AB2355
GetCursorPos.USER32(?), ref: 00AB2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00AB23DF

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 177f8cb265841e51c24f2d2236c68d2753d8c8e2dbc87dae05a6393c7c91e3f5
Instruction ID: 8e3b3f8dd12f77e89cc0a237ac5e144813e07c413e49030f39c8e9ad95cdd87a
Opcode Fuzzy Hash: 177f8cb265841e51c24f2d2236c68d2753d8c8e2dbc87dae05a6393c7c91e3f5
Instruction Fuzzy Hash: 7A31C1725043159BCB20DF54C849F9BB7EDFF84710F00091AF5899B192DB35E909CB92

Function 00AA9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00AA9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00AA9C8B

Part of subcall function 00AA3874: GetInputState.USER32 ref: 00AA38CB
Part of subcall function 00AA3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AA3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00AA9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00AA9C75

Strings

*.*, xrefs: 00AA9B5D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 48edeb6992b70b0005a372e4ea01b04fce6d99fcf3bb60486507d7f78aee81a6
Instruction ID: d217a2ba196685515d64412f71d3950bd4f0c40d858d25616a48ada79adba788
Opcode Fuzzy Hash: 48edeb6992b70b0005a372e4ea01b04fce6d99fcf3bb60486507d7f78aee81a6
Instruction Fuzzy Hash: A6415C7194460AAFCF14DFA4C989AEEBBB8EF06320F248155F805A7191EB309E45CF61

Function 00A4997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00A49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A49BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00A49A4E
GetSysColor.USER32(0000000F), ref: 00A49B23
SetBkColor.GDI32(?,00000000), ref: 00A49B36

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 6cbafa47f5c2ad6c019249330b07a1eac15179523a084952fc970c62a3ffe1b7
Instruction ID: 9b72655d1ad0d5e7a3205a2a7d08ab8d979add253cd9e121048774ce32ea07ab
Opcode Fuzzy Hash: 6cbafa47f5c2ad6c019249330b07a1eac15179523a084952fc970c62a3ffe1b7
Instruction Fuzzy Hash: 36A10B74108554BEE729FB3C8D48E7F2AADEBC2390B254229F502D6691CA25DD23D371

Function 00AB1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00AB307A
Part of subcall function 00AB304E: _wcslen.LIBCMT ref: 00AB309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00AB185D
WSAGetLastError.WSOCK32 ref: 00AB1884
bind.WSOCK32(00000000,?,00000010), ref: 00AB18DB
WSAGetLastError.WSOCK32 ref: 00AB18E6
closesocket.WSOCK32(00000000), ref: 00AB1915

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 936f805f6f36d6343522b70ba66ea6f82f45e514b7f188e9a457735b0d400e56
Instruction ID: 5d6dea45bae79f067282ad42cba163de759402a6f5aed7e5a1a384a2c2c4cb07
Opcode Fuzzy Hash: 936f805f6f36d6343522b70ba66ea6f82f45e514b7f188e9a457735b0d400e56
Instruction Fuzzy Hash: 1651D675A00200AFDB10EF64C996F6A77E5AB44718F44845CFA0AAF3D3D771AD41CBA1

Function 00AC1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00AC1CC0
IsWindowEnabled.USER32 ref: 00AC1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00AC1CDB
IsIconic.USER32 ref: 00AC1CE9
IsZoomed.USER32 ref: 00AC1CF7

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 34596aab77b59ebeb7579217e3c531260f840e1240b5cf48b117e9986a8f9594
Instruction ID: 3bbfb717a0c8e6ec8582d5efaa63b705c617cfae937c42cb3dd2a3afb77a96ca
Opcode Fuzzy Hash: 34596aab77b59ebeb7579217e3c531260f840e1240b5cf48b117e9986a8f9594
Instruction Fuzzy Hash: B621A3317442105FD7208F1AC884F6A7BE5EF96325F1A805CF84A8B352DB71DC42CB90

Function 00A38060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00A383E8
VUUU, xrefs: 00A3843C
VUUU, xrefs: 00A383FA
ERCP, xrefs: 00A3813C
VUUU, xrefs: 00A75DF0

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: cdee8f5df5715b25e21315f171140131a56d44b07adfbe5fac22c9aa81a40aae
Instruction ID: 08c6a7f0195c2e3f2338ded926001802a0889a38cb091288beccd8fcdafcc2e7
Opcode Fuzzy Hash: cdee8f5df5715b25e21315f171140131a56d44b07adfbe5fac22c9aa81a40aae
Instruction Fuzzy Hash: B8A24F71E0061ACBDF24CF58C9417AEB7B1BF54314F24C5AAF819AB285EB749D81CB90

Function 00A9AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00A9AAAC
SetKeyboardState.USER32(00000080), ref: 00A9AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00A9AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00A9AB88

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7e14160868300a04171128ec53b06a11061b63c657e9fcf3624a15c0bd250f6b
Instruction ID: c4b4caa7b97f08750c2f8630e69faabec0ba4302c65d76ac35a6b082be376e39
Opcode Fuzzy Hash: 7e14160868300a04171128ec53b06a11061b63c657e9fcf3624a15c0bd250f6b
Instruction Fuzzy Hash: 11310330B40218AFEF35CB698C05BFA7BE6EB64320F04421BE585961D0D7749D81C7E2

Function 00A6BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A6BB7F

Part of subcall function 00A629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A6D7D1,00000000,00000000,00000000,00000000,?,00A6D7F8,00000000,00000007,00000000,?,00A6DBF5,00000000), ref: 00A629DE
Part of subcall function 00A629C8: GetLastError.KERNEL32(00000000,?,00A6D7D1,00000000,00000000,00000000,00000000,?,00A6D7F8,00000000,00000007,00000000,?,00A6DBF5,00000000,00000000), ref: 00A629F0

GetTimeZoneInformation.KERNEL32 ref: 00A6BB91
WideCharToMultiByte.KERNEL32(00000000,?,00B0121C,000000FF,?,0000003F,?,?), ref: 00A6BC09
WideCharToMultiByte.KERNEL32(00000000,?,00B01270,000000FF,?,0000003F,?,?,?,00B0121C,000000FF,?,0000003F,?,?), ref: 00A6BC36

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 9b3e7a9d163a9f4fc500ec22f28334ccb67aa15f5e4489cf06c300c0c90514c9
Instruction ID: 365a9084d4ca9dce744552766126f805c3e9e9ed5c2b4ddd3fb39dbc409f4db2
Opcode Fuzzy Hash: 9b3e7a9d163a9f4fc500ec22f28334ccb67aa15f5e4489cf06c300c0c90514c9
Instruction Fuzzy Hash: 3E31E171914205DFCB15DF69CC8096DBBB8FF5575071446AAE050EB2B1DB309E81CB60

Function 00AACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00AACE89
GetLastError.KERNEL32(?,00000000), ref: 00AACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00AACEFE

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 927c6fa88b1a2875acd5d2c4fb75fe9dbeef3e9a6715f2ec6e2945be09434190
Instruction ID: adfddcb03e2067ba466b16e561e27ba52917168bb1eaa862dd05552830fadc7e
Opcode Fuzzy Hash: 927c6fa88b1a2875acd5d2c4fb75fe9dbeef3e9a6715f2ec6e2945be09434190
Instruction Fuzzy Hash: CE219D71500305AFEB30DFA5C948BAAB7F8EB41364F10442EE64693191E770EE09CB90

Function 00A98298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A982AA

Strings

|, xrefs: 00A982DA
(, xrefs: 00A982F0

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: c33438af2b67abcf8c49cec06d5b1df21f8582e6fa1b7d2e4bc30f3391497a3b
Instruction ID: dcefdf9e225108fd468a48c6017483058a5a863b3eb4cdf72a3767465ca432ff
Opcode Fuzzy Hash: c33438af2b67abcf8c49cec06d5b1df21f8582e6fa1b7d2e4bc30f3391497a3b
Instruction Fuzzy Hash: 88323575A006059FCB28CF59C481AAAB7F0FF48710B15C56EE59ADB3A1EB74E941CB40

Function 00AA5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AA5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00AA5D17
FindClose.KERNEL32(?), ref: 00AA5D5F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 71b8e8cb98d419ab729816a57c0c6e1536c67a5ed087f420b38bdaec823652f4
Instruction ID: 71a81fd7d32765d1aa1c4a084ebc5ed8e5518a3efadbd4093fc441f1636453a8
Opcode Fuzzy Hash: 71b8e8cb98d419ab729816a57c0c6e1536c67a5ed087f420b38bdaec823652f4
Instruction Fuzzy Hash: F0517875A04A019FC714DF28C494E9AB7E4FF4A324F14855EE99A8B3A1DB30ED05CF91

Function 00A62622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00A6271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A62724
UnhandledExceptionFilter.KERNEL32(?), ref: 00A62731

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e81ab4cea4b7f65b521fed6b66dcaad5ba34c1d5bea30740b0af7423a32b2b60
Instruction ID: 2e43d4434f2d8c5202955bb6afc4965c4a805e8e047ec75fd5dc224694f3065b
Opcode Fuzzy Hash: e81ab4cea4b7f65b521fed6b66dcaad5ba34c1d5bea30740b0af7423a32b2b60
Instruction Fuzzy Hash: 9231B47491121CABCB21DF64DD89BD9B7B8BF08310F5041EAE81CA7261E7309F858F45

Function 00AA51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AA51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00AA5238
SetErrorMode.KERNEL32(00000000), ref: 00AA52A1

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 30382d53ce766d8650566fec836d87487fcf7b5432436404042cfce1287b466b
Instruction ID: 057f7d47fe290de0148184765e1f56013695ca1e975573fcbff6ba812da4d7e0
Opcode Fuzzy Hash: 30382d53ce766d8650566fec836d87487fcf7b5432436404042cfce1287b466b
Instruction Fuzzy Hash: 1F312F75A00518DFDB00DF95D884FADBBB4FF49314F098099E805AB392DB31E856CB91

Function 00A916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A50668
Part of subcall function 00A4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00A50685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A9170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A9173A
GetLastError.KERNEL32 ref: 00A9174A

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 726c78f718c04ff620913bd18c2789cb37c20f0bc3f9d62c518497c9bcbbb4a0
Instruction ID: 1d8086bd7c08e8f6429902a94d185759628422eb9143a79c0a3368aba2e475b2
Opcode Fuzzy Hash: 726c78f718c04ff620913bd18c2789cb37c20f0bc3f9d62c518497c9bcbbb4a0
Instruction Fuzzy Hash: 7F1191B2904305AFE718DF94EC86D6AB7F9EF44724B24852EE05657641EB70BC428A60

Function 00A9D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A9D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00A9D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A9D650

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 725ee4b91ecd1e5ed94791eb8b750e2fd2e9441c45ee15a020708ba29d52e92e
Instruction ID: 98e8bde1f4d6ad7f3e45dcc2cec3d520dd5481f0ebf60780f55a178158081a00
Opcode Fuzzy Hash: 725ee4b91ecd1e5ed94791eb8b750e2fd2e9441c45ee15a020708ba29d52e92e
Instruction Fuzzy Hash: 30115E75E05228BFDB10CF95EC45FAFBBBCEB45B60F108115F908E7290D6704A058BA1

Function 00A91663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A9168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A916A1
FreeSid.ADVAPI32(?), ref: 00A916B1

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1434128abb2ea4f3271bdcfb2f51819dc2673cd3974a8fa53c36aa77cacc41dd
Instruction ID: c0675aad3812389ab4d9825839a6b47a34878da28058ccbebf49a015be4a5cca
Opcode Fuzzy Hash: 1434128abb2ea4f3271bdcfb2f51819dc2673cd3974a8fa53c36aa77cacc41dd
Instruction Fuzzy Hash: 86F0F475950309FBDF00DFE49C89EAEBBBCFB08614F504565E901E2181E774AA458A54

Function 00A8D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00A8D28C

Strings

X64, xrefs: 00A8D2A8

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: dac364476b31265fa1d78cdedda41a604673af5b905795a232a00391704c4c8d
Instruction ID: 0b3e4944792afa8e83b9f21020972181c4fc9359fe69f2e69641784d7bd0987d
Opcode Fuzzy Hash: dac364476b31265fa1d78cdedda41a604673af5b905795a232a00391704c4c8d
Instruction Fuzzy Hash: 2ED0CAB880112DEACB90DBA0EC88DDAB3BCBB04316F100292F10AA2040EB3096498F20

Function 00A5CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d8514f4940e39aae2bd67fa551105417ec72a065db3f67d63d9303cd380cecaa
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 09021B72E002199FDF14CFA9C9806ADBBF1FF48325F25816AD819E7385D731AA45CB80

Function 00A3CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

0}, xrefs: 00A3CF7F
Variable is not of type 'Object'., xrefs: 00A80C40

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID: 0}$Variable is not of type 'Object'.
API String ID: 0-3777547061
Opcode ID: ba93c00e46d76b530efb8b924d2fe4bea4bb77c0b36d299bbdb76faaa78edf6f
Instruction ID: cc70070ae323b282e0d0f5cc3ca497e9685627bdf2caf621a691711e374759b1
Opcode Fuzzy Hash: ba93c00e46d76b530efb8b924d2fe4bea4bb77c0b36d299bbdb76faaa78edf6f
Instruction Fuzzy Hash: F6327774900218DBCF14EF94C985EEEB7B5BF05354F248069F806BB292DB75AE49CB60

Function 00AA68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AA6918
FindClose.KERNEL32(00000000), ref: 00AA6961

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 907b1c7e24a720f57d25189ed6b6bf6776b1e5d555c588b0a9b4569e77c8159f
Instruction ID: 6f2f901a7e07b1ced3160dd9a6416c0c044be420c2d3779b4436058b905bad5a
Opcode Fuzzy Hash: 907b1c7e24a720f57d25189ed6b6bf6776b1e5d555c588b0a9b4569e77c8159f
Instruction Fuzzy Hash: FB1190756042009FC710DF69D888A16BBE5FF89328F19C699F4698F6A2CB30EC05CF91

Function 00AA37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00AB4891,?,?,00000035,?), ref: 00AA37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00AB4891,?,?,00000035,?), ref: 00AA37F4

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 550f4ec1b39eba1cea3ea2d393b28fc8523ea2b78f97bf931c0d477cc1b710ab
Instruction ID: 94334d12b35970f3cb105309e4c6c59bd4ee11f3bc0db4d97e619b660df2123b
Opcode Fuzzy Hash: 550f4ec1b39eba1cea3ea2d393b28fc8523ea2b78f97bf931c0d477cc1b710ab
Instruction Fuzzy Hash: 37F0EC716043142ADB1097A65D4DFDB76ADDFC5771F000175F509D32C1D6605905C6B0

Function 00A9B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00A9B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00A9B270

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: b39692a988a7b9951131652cc8063f77881bf5eee71a543ebddda9f7f4197018
Instruction ID: f019fd3b0b52c763a55cce0ecf89a1f9f33eda4834c939da1b239eee365c69e0
Opcode Fuzzy Hash: b39692a988a7b9951131652cc8063f77881bf5eee71a543ebddda9f7f4197018
Instruction Fuzzy Hash: 5DF01D7191424DABDF05DFA0D805BEE7BB4FF04315F00801AF955A5191C37996129FA4

Function 00A910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A911FC), ref: 00A910D4
CloseHandle.KERNEL32(?,?,00A911FC), ref: 00A910E9

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5d303ccdd4d38e01d8074356d400ab33caf420ff0565050def17353c03d0e87d
Instruction ID: bd6feee270eab70e8e19e83213900f527bd779849294981424047657d2fbe76f
Opcode Fuzzy Hash: 5d303ccdd4d38e01d8074356d400ab33caf420ff0565050def17353c03d0e87d
Instruction Fuzzy Hash: 57E04F36004600EEEB252B51FD05E7377E9EB04320B14882DF4A6804B1DB626C91DB10

Function 00A6676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A66766,?,?,00000008,?,?,00A6FEFE,00000000), ref: 00A66998

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7c282ddc38825bcb0eeceb27b639fd3addcf022dabbf88874d25da39e9d4acc7
Instruction ID: a5d4a6b601ecd10e3b15dfdb96b740f659cf3f60169622ba314d2e035d4eb920
Opcode Fuzzy Hash: 7c282ddc38825bcb0eeceb27b639fd3addcf022dabbf88874d25da39e9d4acc7
Instruction Fuzzy Hash: 19B12A72610609DFD719CF28C48AB657BF0FF45364F298658E8A9CF2A2C735E991CB40

Function 00A4B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00A8851F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 75e6e1da6f53ed0a300143753495fffa2307dce7372b615e13bb23e6bc7cff9e
Instruction ID: e1109956878c14fb7ae8e27806c5b9ea27633abb2e906e984a5ace215d0c94fa
Opcode Fuzzy Hash: 75e6e1da6f53ed0a300143753495fffa2307dce7372b615e13bb23e6bc7cff9e
Instruction Fuzzy Hash: AD126F75910229DFCB24DF58C8806EEB7B5FF48710F54819AE849EB255EB349E81CFA0

Function 00AAEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00AAEABD

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 0468e5d4b996c7980ab905b8cdb39ada0a5c67a027658d4c7db126d0de2dac6a
Instruction ID: 15504e78a9ee8b245ab423c4f12e9fb3b026ed211852b31d4f91052060337ffe
Opcode Fuzzy Hash: 0468e5d4b996c7980ab905b8cdb39ada0a5c67a027658d4c7db126d0de2dac6a
Instruction Fuzzy Hash: 6DE04F362102049FC710EF59D904E9AF7E9AF997B0F00841AFD4ADB391DB70EC418BA0

Function 00A509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00A503EE), ref: 00A509DA

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8430117ea047e51f111c3088f7f5317ccdffc52ecf8471f898601b6c55fa0dce
Instruction ID: 718fd98d59832d37f1438500e7b86c8a392d48f8ac15475ccdd35612a7534c88
Opcode Fuzzy Hash: 8430117ea047e51f111c3088f7f5317ccdffc52ecf8471f898601b6c55fa0dce
Instruction Fuzzy Hash:

Function 00A5781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00A5798B

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: a6cc86ce13f633caa049d0576a126caf17e6dedc903956502eb63bb17d5289f4
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 39516A7160C7059BDB388768A95DBBE63D9BB12343F180509DC86F7282C635DE8DD362

Function 00A66DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da065ac3e331aeaee16112037136c360d0ff76393546089a28ab25eb3ac87de
Instruction ID: 8669f5a0e03e810e09624e1db3ca438fb0f2abed45914c93d41d8bf23af78f2f
Opcode Fuzzy Hash: 8da065ac3e331aeaee16112037136c360d0ff76393546089a28ab25eb3ac87de
Instruction Fuzzy Hash: 47320321D3AF414DD7239635C822339A759AFB73C9F15D737E82AB59A5EF29C4834200

Function 00A4CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73389ed75648908981a76ac9b72608d72e39b38e157d907418f54a4aed4da35
Instruction ID: a5545b4774aaba176c9dff9f7f9347602dc983632a8e89917f996c5fd23c4353
Opcode Fuzzy Hash: f73389ed75648908981a76ac9b72608d72e39b38e157d907418f54a4aed4da35
Instruction Fuzzy Hash: 23323636A00105CBDF28EF69C4D467DBBB1EB85330F28856AD59ACB291E230DD81DF60

Function 00A37920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7113e8f9d6473e12c452dca29cf1a5fc84274bba4a96dec547516dcbfe06419
Instruction ID: d7072155f917e82e27f467fd90de0c7fdf13930d1dc6fd152a3d5417bba7b90f
Opcode Fuzzy Hash: c7113e8f9d6473e12c452dca29cf1a5fc84274bba4a96dec547516dcbfe06419
Instruction Fuzzy Hash: F922B3B0E04609DFDF14CFA4C981AAEB7F5FF44300F248629E816AB291EB75AD55CB50

Function 00A391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9cb7673df652cf2726656b8f5eeaa363a3dae8e5b8d7941777c9fce5ab103ed
Instruction ID: d0746b3aecae70e085e106611ed0d42d7fe3866ac8956acf171ae84e7fb5e0a0
Opcode Fuzzy Hash: d9cb7673df652cf2726656b8f5eeaa363a3dae8e5b8d7941777c9fce5ab103ed
Instruction Fuzzy Hash: C102B5B1E00205EFDF05DF54D981AAEB7B5FF48340F10C169F81A9B291EB71AA15CB91

Function 00A69EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67758d2e34a99e3cdab50247f5f878f503cebe964eeef91cbaba766f1ca4925
Instruction ID: 47fb70e11c4339c368184e3ebbc76a93e650bed81467b2a5517d41eac62b7f72
Opcode Fuzzy Hash: e67758d2e34a99e3cdab50247f5f878f503cebe964eeef91cbaba766f1ca4925
Instruction Fuzzy Hash: 46B1F021D2AF414DC62396798931336B75CAFBB6D5F92D31BFC2778D22EB2286834141

Function 00A51C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: f2da8e85e314d29de01a6038186ed8ea3cd67704c126b3345dd90d0830d8a828
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: EA9154731080A34ADB29473A857567EFEF16A523A371A079EDCF2CA1C1FE34895CD620

Function 00A51F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: bf356828bc785668ff6e784a77f9b34d8fd313fafd14a6131416bd6de7566d27
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: A99133722094A349DB694339857463EFEE17A933A371A079EDCF2CA1C5EE34895CD720

Function 00A519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: c3f8e7f21e8c6eacc91fadd2a42b49be58f4349d27af359f522e81db96b5fa3f
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: C69143722090A34ADB2E437A857427DFFF16A923A371A079DD8F2CA1C1FE34855CD620

Function 00A57A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb733d3f5ea7a384693540f228847efd4ee20cdbf4002b19a51abe3f8ea325b
Instruction ID: b2e79097e10f8366f04cf92697c04f771c30d205d6b6881efcb978d6bedd476c
Opcode Fuzzy Hash: 4eb733d3f5ea7a384693540f228847efd4ee20cdbf4002b19a51abe3f8ea325b
Instruction Fuzzy Hash: CE617771608709A7EA349B28B995BBE23A4FF41743F140919ED43FB281DA359E4EC315

Function 00A57CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1dbc02a61d57ea636fbec343a14cca2d96463d64851f51c8e9207395e20e95
Instruction ID: 5047cd2628dc1f46873bfcb1f67b792fc52fbe1a7e623b77ca8c068629ff98cb
Opcode Fuzzy Hash: fe1dbc02a61d57ea636fbec343a14cca2d96463d64851f51c8e9207395e20e95
Instruction Fuzzy Hash: A0616C7220870956DE384B287956BBF23B4BF41703F100959ED43FB281EA369D4ECA55

Function 00A51706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 9cce9ebe233b0ec3472373fda7769561f10dfc8d433141a2e550fcdf02ec8258
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 718176726080A34ADB2D473D857467EFFE17A923A371A079DD8F2CA1C1EE34995CD620

Function 00A4D064 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811eb9dc288c2a78bdc6c52ec64344d3b3bd9064c1c515d2bac478a32243d890
Instruction ID: 3b4a600b593bf2056b0a53ab4ca8184405630c55767dd07e8ddb2ce9b4e7bb7c
Opcode Fuzzy Hash: 811eb9dc288c2a78bdc6c52ec64344d3b3bd9064c1c515d2bac478a32243d890
Instruction Fuzzy Hash: 73418FA244FBC55FEB0B87204C2A694BF70BEA366831846CFC8C05B5EFD7511186C78A

Function 00AA2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708ad3dc78c96923eb9e659817394851948578a0a3413da8c5223faf1c8270aa
Instruction ID: 9ff82aa1eccb88900ec4e34fee076346bf897a45106d065a45585a80e7eada3e
Opcode Fuzzy Hash: 708ad3dc78c96923eb9e659817394851948578a0a3413da8c5223faf1c8270aa
Instruction Fuzzy Hash: 6E21A5326206118BD728CF79C92267A73E5AB64310F15862EE4A7C37D1DE7AAD04CB80

Function 00AB2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00AB2B30
DeleteObject.GDI32(00000000), ref: 00AB2B43
DestroyWindow.USER32 ref: 00AB2B52
GetDesktopWindow.USER32 ref: 00AB2B6D
GetWindowRect.USER32(00000000), ref: 00AB2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00AB2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00AB2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB2CF8
GetClientRect.USER32(00000000,?), ref: 00AB2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00AB2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB2D80
GlobalLock.KERNEL32(00000000), ref: 00AB2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB2D98
GlobalUnlock.KERNEL32(00000000), ref: 00AB2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB2DA8
GlobalFree.KERNEL32(00000000), ref: 00AB2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00ACFC38,00000000), ref: 00AB2DDB
GlobalFree.KERNEL32(00000000), ref: 00AB2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00AB2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00AB2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00AB303F

Strings

AutoIt v3, xrefs: 00AB2CF2
static, xrefs: 00AB2D3A, 00AB2E91
DISPLAY, xrefs: 00AB2EA2
, xrefs: 00AB2FC5

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: c1b1fc753f19df7b3479080e63d1d25904e8daf996eb1f1b389a6d401b98add1
Instruction ID: f315398225e6e6985cbb1881f74fcbf7d323084b8f4090a44ceeb1150ae04054
Opcode Fuzzy Hash: c1b1fc753f19df7b3479080e63d1d25904e8daf996eb1f1b389a6d401b98add1
Instruction Fuzzy Hash: 10026D71900205EFDB14DFA4CD89EAE7BB9FF49320F048559F919AB2A1DB74AD01CB60

Function 00AC70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00AC712F
GetSysColorBrush.USER32(0000000F), ref: 00AC7160
GetSysColor.USER32(0000000F), ref: 00AC716C
SetBkColor.GDI32(?,000000FF), ref: 00AC7186
SelectObject.GDI32(?,?), ref: 00AC7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00AC71C0
GetSysColor.USER32(00000010), ref: 00AC71C8
CreateSolidBrush.GDI32(00000000), ref: 00AC71CF
FrameRect.USER32(?,?,00000000), ref: 00AC71DE
DeleteObject.GDI32(00000000), ref: 00AC71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00AC7230
FillRect.USER32(?,?,?), ref: 00AC7262
GetWindowLongW.USER32(?,000000F0), ref: 00AC7284

Part of subcall function 00AC73E8: GetSysColor.USER32(00000012), ref: 00AC7421
Part of subcall function 00AC73E8: SetTextColor.GDI32(?,?), ref: 00AC7425
Part of subcall function 00AC73E8: GetSysColorBrush.USER32(0000000F), ref: 00AC743B
Part of subcall function 00AC73E8: GetSysColor.USER32(0000000F), ref: 00AC7446
Part of subcall function 00AC73E8: GetSysColor.USER32(00000011), ref: 00AC7463
Part of subcall function 00AC73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AC7471
Part of subcall function 00AC73E8: SelectObject.GDI32(?,00000000), ref: 00AC7482
Part of subcall function 00AC73E8: SetBkColor.GDI32(?,00000000), ref: 00AC748B
Part of subcall function 00AC73E8: SelectObject.GDI32(?,?), ref: 00AC7498
Part of subcall function 00AC73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00AC74B7
Part of subcall function 00AC73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AC74CE
Part of subcall function 00AC73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00AC74DB

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 39522e7e4b2948f5f44a9f48026fd4ca17f71d374c2b5bf2511d09bda3e0ee43
Instruction ID: 4bc5c6aaaf9fb4157d2e080a06772ee0c1a414c8b595df1a4f6ee933f65687a8
Opcode Fuzzy Hash: 39522e7e4b2948f5f44a9f48026fd4ca17f71d374c2b5bf2511d09bda3e0ee43
Instruction Fuzzy Hash: 65A18B72008305AFDB00DFA4DC48E6EBBA9FB88330F150B19F966961A1D730E9468F51

Function 00A48D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00A48E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00A86AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A86AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A86F43

Part of subcall function 00A48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A48BE8,?,00000000,?,?,?,?,00A48BBA,00000000,?), ref: 00A48FC5

SendMessageW.USER32(?,00001053), ref: 00A86F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A86F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A86FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00A86FB7

Strings

0, xrefs: 00A86DCF

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: b5058f8942a855a179460f29a1c0642b7706f08fea550b1c95377caff2d7b9a8
Instruction ID: 90c9f50b8211db677557eec8ebff6c03e83ef4e19710ae47008a2b2f7edd6e05
Opcode Fuzzy Hash: b5058f8942a855a179460f29a1c0642b7706f08fea550b1c95377caff2d7b9a8
Instruction Fuzzy Hash: B712BE34600201DFEB25EF18D949BAABBF1FB84310F148469F5898B261CB35EC52DF91

Function 00AB2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00AB273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00AB286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00AB28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00AB28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00AB2900
GetClientRect.USER32(00000000,?), ref: 00AB290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00AB2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00AB2964
GetStockObject.GDI32(00000011), ref: 00AB2974
SelectObject.GDI32(00000000,00000000), ref: 00AB2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00AB2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AB2991
DeleteDC.GDI32(00000000), ref: 00AB299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00AB29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00AB29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00AB2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00AB2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00AB2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00AB2A77
GetStockObject.GDI32(00000011), ref: 00AB2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00AB2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00AB2A97

Strings

AutoIt v3, xrefs: 00AB28F8
static, xrefs: 00AB294F, 00AB2A71
DISPLAY, xrefs: 00AB295A
msctls_progress32, xrefs: 00AB2A13

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 7272917da0cbd220a1c27562da50b36f965a86a74c7c21c9e4a8b69e78e469eb
Instruction ID: db588b2f883254a45a7f6c44b4754e41e47a8c2d51ba317ca96a053f663f8942
Opcode Fuzzy Hash: 7272917da0cbd220a1c27562da50b36f965a86a74c7c21c9e4a8b69e78e469eb
Instruction Fuzzy Hash: 7FB16CB1A00219BFEB14DFA9CD49FAE7BB9EB08710F008515F915E7291DB70AD41CBA4

Function 00AA4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AA4AED
GetDriveTypeW.KERNEL32(?,00ACCB68,?,\\.\,00ACCC08), ref: 00AA4BCA
SetErrorMode.KERNEL32(00000000,00ACCB68,?,\\.\,00ACCC08), ref: 00AA4D36

Strings

SSA, xrefs: 00AA4CA6
Fixed, xrefs: 00AA4C09
Unknown, xrefs: 00AA4BED, 00AA4C83
1394, xrefs: 00AA4C9F
ATA, xrefs: 00AA4C98
Virtual, xrefs: 00AA4CE5
SATA, xrefs: 00AA4CD0
Network, xrefs: 00AA4C02
Fibre, xrefs: 00AA4CAD
CDROM, xrefs: 00AA4BFB
SCSI, xrefs: 00AA4C8A
USB, xrefs: 00AA4CB4
ATAPI, xrefs: 00AA4C91
RAID, xrefs: 00AA4CBB
Removable, xrefs: 00AA4C10, 00AA4C15
\\.\, xrefs: 00AA4B3F
MMC, xrefs: 00AA4CDE
SAS, xrefs: 00AA4CC9
SSD, xrefs: 00AA4C4A
PhysicalDrive, xrefs: 00AA4B76
iSCSI, xrefs: 00AA4CC2
RAMDisk, xrefs: 00AA4BF4
FileBackedVirtual, xrefs: 00AA4CEC

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a6f09446c66d08c6a6deec940a6b2a8b6368dd5c42b2065c57e902942c1785be
Instruction ID: fcb0bdc4b09a50206111565adfcd41ac473a3add6ace3efbb2c04d630f706307
Opcode Fuzzy Hash: a6f09446c66d08c6a6deec940a6b2a8b6368dd5c42b2065c57e902942c1785be
Instruction Fuzzy Hash: 3261C030705309ABCB04DFA8CA82D7D77B0BB8E354B248815F90AAB6D1DBB5ED41DB51

Function 00AC73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00AC7421
SetTextColor.GDI32(?,?), ref: 00AC7425
GetSysColorBrush.USER32(0000000F), ref: 00AC743B
GetSysColor.USER32(0000000F), ref: 00AC7446
CreateSolidBrush.GDI32(?), ref: 00AC744B
GetSysColor.USER32(00000011), ref: 00AC7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AC7471
SelectObject.GDI32(?,00000000), ref: 00AC7482
SetBkColor.GDI32(?,00000000), ref: 00AC748B
SelectObject.GDI32(?,?), ref: 00AC7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00AC74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AC74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00AC74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AC752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00AC7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00AC7572
DrawFocusRect.USER32(?,?), ref: 00AC757D
GetSysColor.USER32(00000011), ref: 00AC758E
SetTextColor.GDI32(?,00000000), ref: 00AC7596
DrawTextW.USER32(?,00AC70F5,000000FF,?,00000000), ref: 00AC75A8
SelectObject.GDI32(?,?), ref: 00AC75BF
DeleteObject.GDI32(?), ref: 00AC75CA
SelectObject.GDI32(?,?), ref: 00AC75D0
DeleteObject.GDI32(?), ref: 00AC75D5
SetTextColor.GDI32(?,?), ref: 00AC75DB
SetBkColor.GDI32(?,?), ref: 00AC75E5

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1f7fd7cffd6169baab3a23dfe8e2d4aae513daa9640fef449716a269aa237bad
Instruction ID: 6f9166d7ceea9fcdffa61a098f449e271e9d99fba7b76a919fe1bf94495aaa2c
Opcode Fuzzy Hash: 1f7fd7cffd6169baab3a23dfe8e2d4aae513daa9640fef449716a269aa237bad
Instruction Fuzzy Hash: 7F614976900218AFDF01DFA4DC49EAEBFB9EB08320F164215F919AB2A1D7759941CF90

Function 00AC0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00AC1128
GetDesktopWindow.USER32 ref: 00AC113D
GetWindowRect.USER32(00000000), ref: 00AC1144
GetWindowLongW.USER32(?,000000F0), ref: 00AC1199
DestroyWindow.USER32(?), ref: 00AC11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00AC11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AC120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00AC121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00AC1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00AC1245
IsWindowVisible.USER32(00000000), ref: 00AC12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00AC12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00AC12D0
GetWindowRect.USER32(00000000,?), ref: 00AC12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00AC130E
GetMonitorInfoW.USER32(00000000,?), ref: 00AC1328
CopyRect.USER32(?,?), ref: 00AC133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00AC13AA

Strings

(, xrefs: 00AC131B
tooltips_class32, xrefs: 00AC11E6
0, xrefs: 00AC10D3

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 873af843a820bb7e494213aeec92de30e9cd03683085f899771c631525a27553
Instruction ID: c3eebaab684ed7a031d7971b957cb65d0b8bd32fc4ea09ed4e95836ef4d5fb2c
Opcode Fuzzy Hash: 873af843a820bb7e494213aeec92de30e9cd03683085f899771c631525a27553
Instruction Fuzzy Hash: DBB1AC71604340AFDB00DF64C985F6ABBE4FF85314F01891CF9999B2A2C771E845CBA2

Function 00A48891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A48968
GetSystemMetrics.USER32(00000007), ref: 00A48970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A4899B
GetSystemMetrics.USER32(00000008), ref: 00A489A3
GetSystemMetrics.USER32(00000004), ref: 00A489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A48A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A48A3C
GetClientRect.USER32(00000000,000000FF), ref: 00A48A5A
GetStockObject.GDI32(00000011), ref: 00A48A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A48A81

Part of subcall function 00A4912D: GetCursorPos.USER32(?), ref: 00A49141
Part of subcall function 00A4912D: ScreenToClient.USER32(00000000,?), ref: 00A4915E
Part of subcall function 00A4912D: GetAsyncKeyState.USER32(00000001), ref: 00A49183
Part of subcall function 00A4912D: GetAsyncKeyState.USER32(00000002), ref: 00A4919D

SetTimer.USER32(00000000,00000000,00000028,00A490FC), ref: 00A48AA8

Strings

AutoIt v3 GUI, xrefs: 00A48A20

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: cfccb155228ca1f2fd4b0fabca417cc4682390c54cd83bab32c4938ab5acef20
Instruction ID: 9483650c40214ac72e4b317597f112ea302d75c7b63276f93d228d69c9243a2c
Opcode Fuzzy Hash: cfccb155228ca1f2fd4b0fabca417cc4682390c54cd83bab32c4938ab5acef20
Instruction Fuzzy Hash: 8FB18C35A00209AFDB14DFA8DD45FAE3BB5FB48314F114229FA19A7290DB74E941CB50

Function 00A90D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A91114
Part of subcall function 00A910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A90B9B,?,?,?), ref: 00A91120
Part of subcall function 00A910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A90B9B,?,?,?), ref: 00A9112F
Part of subcall function 00A910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A90B9B,?,?,?), ref: 00A91136
Part of subcall function 00A910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A90DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A90E29
GetLengthSid.ADVAPI32(?), ref: 00A90E40
GetAce.ADVAPI32(?,00000000,?), ref: 00A90E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A90E96
GetLengthSid.ADVAPI32(?), ref: 00A90EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A90EB5
HeapAlloc.KERNEL32(00000000), ref: 00A90EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A90EDD
CopySid.ADVAPI32(00000000), ref: 00A90EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A90F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A90F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A90F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A90F6E
HeapFree.KERNEL32(00000000), ref: 00A90F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A90F7E
HeapFree.KERNEL32(00000000), ref: 00A90F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A90F8E
HeapFree.KERNEL32(00000000), ref: 00A90F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00A90FA1
HeapFree.KERNEL32(00000000), ref: 00A90FA8

Part of subcall function 00A91193: GetProcessHeap.KERNEL32(00000008,00A90BB1,?,00000000,?,00A90BB1,?), ref: 00A911A1
Part of subcall function 00A91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A90BB1,?), ref: 00A911A8
Part of subcall function 00A91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A90BB1,?), ref: 00A911B7

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ad58868e6b7e51d663a328223256bab4e13fc5e6985783122666a00d43e87528
Instruction ID: ce3f6d4f7f56015f70320bc7c87adcfccfdc0987f0ba75852d935eeb628461a6
Opcode Fuzzy Hash: ad58868e6b7e51d663a328223256bab4e13fc5e6985783122666a00d43e87528
Instruction Fuzzy Hash: 02715872A0021AEFDF20DFA5DD48FAEBBB8FF04351F154215E919E6191D7319A06CB60

Function 00ABC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ABC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00ACCC08,00000000,?,00000000,?,?), ref: 00ABC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00ABC5A4
_wcslen.LIBCMT ref: 00ABC5F4
_wcslen.LIBCMT ref: 00ABC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00ABC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00ABC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00ABC84D
RegCloseKey.ADVAPI32(?), ref: 00ABC881
RegCloseKey.ADVAPI32(00000000), ref: 00ABC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00ABC960

Strings

REG_EXPAND_SZ, xrefs: 00ABC5CD
REG_BINARY, xrefs: 00ABC913
REG_SZ, xrefs: 00ABC644
REG_DWORD, xrefs: 00ABC804
REG_QWORD, xrefs: 00ABC8C3
REG_MULTI_SZ, xrefs: 00ABC6F5

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: f969cb0e072bfb84988ee4e2d7144a4422703621b9655e466b704b118dfc0b7c
Instruction ID: 74cf4ea52ca122f167e0b368d8de96472429667a662738b782146b82cd0a8337
Opcode Fuzzy Hash: f969cb0e072bfb84988ee4e2d7144a4422703621b9655e466b704b118dfc0b7c
Instruction Fuzzy Hash: 9E125A75604201AFDB24DF14C981E6AB7E5FF88724F04885DF99A9B3A2DB31ED41CB81

Function 00AC091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00AC09C6
_wcslen.LIBCMT ref: 00AC0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AC0A54
_wcslen.LIBCMT ref: 00AC0A8A
_wcslen.LIBCMT ref: 00AC0B06
_wcslen.LIBCMT ref: 00AC0B81

Part of subcall function 00A4F9F2: _wcslen.LIBCMT ref: 00A4F9FD

Part of subcall function 00A92BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A92BFA

Strings

EXISTS, xrefs: 00AC0B7C, 00AC0B97
GETTEXT, xrefs: 00AC0C97
GETITEMCOUNT, xrefs: 00AC0C1E
COLLAPSE, xrefs: 00AC0B01, 00AC0B1C
UNCHECK, xrefs: 00AC0D3E
CHECK, xrefs: 00AC0A85, 00AC0AA0
GETTOTALCOUNT, xrefs: 00AC09F2, 00AC0A17
EXPAND, xrefs: 00AC0BF8
ISCHECKED, xrefs: 00AC0CE1
SELECT, xrefs: 00AC0D11
GETSELECTED, xrefs: 00AC0C4E

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 3b6bdb60789a0f0e371d84df987138e888178e8478abb861841fbc71d9e400f1
Instruction ID: 0e49094503377bd14af40a31e8ca54be677ad878ea5071976e17af986c0fd64d
Opcode Fuzzy Hash: 3b6bdb60789a0f0e371d84df987138e888178e8478abb861841fbc71d9e400f1
Instruction Fuzzy Hash: B4E16735208301DFCB14DF68C550E2AB7E1BF98754F16895CF89AAB2A2DB31ED45CB81

Function 00ABC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ABB6AE,?,?), ref: 00ABC9B5
_wcslen.LIBCMT ref: 00ABC9F1
_wcslen.LIBCMT ref: 00ABCA68
_wcslen.LIBCMT ref: 00ABCA9E
_wcslen.LIBCMT ref: 00ABCAF9
_wcslen.LIBCMT ref: 00ABCB2F
_wcslen.LIBCMT ref: 00ABCB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00ABCA62, 00ABCA67
HKU, xrefs: 00ABCBF0
HKCC, xrefs: 00ABCBAC
HKCR, xrefs: 00ABCB29, 00ABCB2E
HKLM, xrefs: 00ABCA98, 00ABCA9D
HKEY_CURRENT_USER, xrefs: 00ABCBBD
HKCU, xrefs: 00ABCBCE
HKEY_CURRENT_CONFIG, xrefs: 00ABCB79, 00ABCB7E
HKEY_USERS, xrefs: 00ABCBDF
HKEY_CLASSES_ROOT, xrefs: 00ABCAF3, 00ABCAF8

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 3fd57216ac3c71678ccabcb43d981a1662de99894249b5a4933be440b37d56eb
Instruction ID: a7bf0025a890554c50d2f0bc4b79c6e6c518b4b064d0d954650fec8874e11c7e
Opcode Fuzzy Hash: 3fd57216ac3c71678ccabcb43d981a1662de99894249b5a4933be440b37d56eb
Instruction Fuzzy Hash: EC71D73261012A8BCB10DF7CCD51DFF37AAAB657B4F250528FC5597286E631CD4593A0

Function 00AC833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AC835A
_wcslen.LIBCMT ref: 00AC836E
_wcslen.LIBCMT ref: 00AC8391
_wcslen.LIBCMT ref: 00AC83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00AC83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00AC361A,?), ref: 00AC844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AC8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00AC84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AC8501
FreeLibrary.KERNEL32(?), ref: 00AC850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00AC851D
DestroyIcon.USER32(?), ref: 00AC852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00AC8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00AC8555

Strings

.dll, xrefs: 00AC83AB
.icl, xrefs: 00AC8368
.exe, xrefs: 00AC8388

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 791e988c663a7991f0bc67da7452798556305dfc674260e154d6b6bc50c7e59a
Instruction ID: 601cdb6aa560fb05c0da100decd0774dd9ee3c440d3574c5791d47bc9b1783d0
Opcode Fuzzy Hash: 791e988c663a7991f0bc67da7452798556305dfc674260e154d6b6bc50c7e59a
Instruction Fuzzy Hash: 9E61D271540219FAEB18DF64CD41FBE77A8BB08B21F11450AF915EA1D1DFB8A981CBA0

Function 00A37778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 00A75279
#requireadmin, xrefs: 00A377FF
#notrayicon, xrefs: 00A377E7
#include-once, xrefs: 00A3782F
#ce, xrefs: 00A378ED
Bad directive syntax error, xrefs: 00A7519A
#cs, xrefs: 00A37873, 00A378C5
#pragma compile, xrefs: 00A377D3
#include, xrefs: 00A37847
#OnAutoItStartRegister, xrefs: 00A37817
", xrefs: 00A75153
Unterminated group of comments, xrefs: 00A7528C
#comments-start, xrefs: 00A3785F, 00A378B1
', xrefs: 00A75169
#comments-end, xrefs: 00A378D9

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: a3e39c67b70d443c4786797a9ea6e9223bb4b4ee0a177504f81c476cf466395c
Instruction ID: 17dbab304ad09a83811b240eaa6d259659164b313f866259f11daec7def34514
Opcode Fuzzy Hash: a3e39c67b70d443c4786797a9ea6e9223bb4b4ee0a177504f81c476cf466395c
Instruction Fuzzy Hash: B781C2B1A04605BFDB20AF60CD42FAE77B9BF55301F048424FD09AA292EBB4D955C791

Function 00AA3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00AA3EF8
_wcslen.LIBCMT ref: 00AA3F03
_wcslen.LIBCMT ref: 00AA3F5A
_wcslen.LIBCMT ref: 00AA3F98
GetDriveTypeW.KERNEL32(?), ref: 00AA3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AA401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AA4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AA4087

Strings

close, xrefs: 00AA3EFE, 00AA3F18
set cd door , xrefs: 00AA4028
closed, xrefs: 00AA3F08, 00AA3F2D, 00AA3F46, 00AA3F7E, 00AA3F97
open, xrefs: 00AA3F54, 00AA3F59
open , xrefs: 00AA3FE5
close cd wait, xrefs: 00AA4072
type cdaudio alias cd wait, xrefs: 00AA4001
wait, xrefs: 00AA4044

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: c1b47f186997f0394048a22dbfd88f491feca556d16bec65f4036c04814ae0c7
Instruction ID: 5ecf0b94c623ba78c5bddaa2ddf3d229f2f26ffe70ad46af3ffd9680c86e9f6d
Opcode Fuzzy Hash: c1b47f186997f0394048a22dbfd88f491feca556d16bec65f4036c04814ae0c7
Instruction Fuzzy Hash: 3071EF326042019FC710EF24C98196EB7F4FF99768F10892DF99697291EB31ED46CB91

Function 00A95A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00A95A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A95A40
SetWindowTextW.USER32(?,?), ref: 00A95A57
GetDlgItem.USER32(?,000003EA), ref: 00A95A6C
SetWindowTextW.USER32(00000000,?), ref: 00A95A72
GetDlgItem.USER32(?,000003E9), ref: 00A95A82
SetWindowTextW.USER32(00000000,?), ref: 00A95A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00A95AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00A95AC3
GetWindowRect.USER32(?,?), ref: 00A95ACC
_wcslen.LIBCMT ref: 00A95B33
SetWindowTextW.USER32(?,?), ref: 00A95B6F
GetDesktopWindow.USER32 ref: 00A95B75
GetWindowRect.USER32(00000000), ref: 00A95B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00A95BD3
GetClientRect.USER32(?,?), ref: 00A95BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00A95C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A95C2F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 20a188b7b9a671f8370a3033e0fc2e6014c2e5696955003cab23096de89ce86a
Instruction ID: a1c7788368d5766414ca5739594b9ec3434d1c5317fd6f6165eae64b757991f3
Opcode Fuzzy Hash: 20a188b7b9a671f8370a3033e0fc2e6014c2e5696955003cab23096de89ce86a
Instruction Fuzzy Hash: 80716B31A00A09AFDF21DFB8CE86E6EBBF5FF48714F104518E586A25A0D775E941CB10

Function 00AAFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00AAFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00AAFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00AAFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00AAFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00AAFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00AAFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00AAFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00AAFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00AAFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00AAFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00AAFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00AAFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00AAFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00AAFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00AAFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00AAFECC
GetCursorInfo.USER32(?), ref: 00AAFEDC
GetLastError.KERNEL32 ref: 00AAFF1E

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 9dbfa202188252f64e6d6d4bc96d3e189301b06eab7f022760d78bac0b1b5c7c
Instruction ID: 794368fe03c4cc614e48c823a7c3e23cb2fc751ed68c8dbd3b8b1c0e8b4def5f
Opcode Fuzzy Hash: 9dbfa202188252f64e6d6d4bc96d3e189301b06eab7f022760d78bac0b1b5c7c
Instruction Fuzzy Hash: 004132B0D043196EDB10DFBA8C8585EBFA8FF05754B54452AF11DEB281DB7899018E91

Function 00A500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00A500C6

Part of subcall function 00A500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00B0070C,00000FA0,B2960246,?,?,?,?,00A723B3,000000FF), ref: 00A5011C
Part of subcall function 00A500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00A723B3,000000FF), ref: 00A50127
Part of subcall function 00A500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00A723B3,000000FF), ref: 00A50138
Part of subcall function 00A500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00A5014E
Part of subcall function 00A500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00A5015C
Part of subcall function 00A500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00A5016A
Part of subcall function 00A500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A50195
Part of subcall function 00A500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A501A0

___scrt_fastfail.LIBCMT ref: 00A500E7

Part of subcall function 00A500A3: __onexit.LIBCMT ref: 00A500A9

Strings

InitializeConditionVariable, xrefs: 00A50148
kernel32.dll, xrefs: 00A50133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00A50122
SleepConditionVariableCS, xrefs: 00A50154
WakeAllConditionVariable, xrefs: 00A50162

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 583078eceac618ceab11c2e2e9b71ed877bed70f3464f096871ae92eea9754fd
Instruction ID: 5041f37ddfc358c52b951295d106d0477f10ffddc657f0e2478e1be476c22fdc
Opcode Fuzzy Hash: 583078eceac618ceab11c2e2e9b71ed877bed70f3464f096871ae92eea9754fd
Instruction Fuzzy Hash: DC210B326447107FE711ABA4AD06F6A37D4FB44F62F050639FC05A72D1DF749C058A91

Function 00A930F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A9318D
_wcslen.LIBCMT ref: 00A931F8

Strings

CLASS, xrefs: 00A93188, 00A931A5
INSTANCE, xrefs: 00A93453
CLASSNN, xrefs: 00A931F3, 00A93204
TEXT, xrefs: 00A9347C
NAME, xrefs: 00A93335, 00A93346
REGEXPCLASS, xrefs: 00A93255, 00A93266

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 5bcc88230409a3818fed56a1e08182b85057ee9af44d4aa6d56f714b93db51bd
Instruction ID: e50c39415e9a44c66f0ed5a8d71d00c927ba3c5d285c8fc8fb5fb72fd2d160f8
Opcode Fuzzy Hash: 5bcc88230409a3818fed56a1e08182b85057ee9af44d4aa6d56f714b93db51bd
Instruction Fuzzy Hash: 2BE19333B00526AFCF189FB8C8516FEBBF4BF58710F658119E556A7250DB30AE858790

Function 00AA44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00ACCC08), ref: 00AA4527
_wcslen.LIBCMT ref: 00AA453B
_wcslen.LIBCMT ref: 00AA4599
_wcslen.LIBCMT ref: 00AA45F4
_wcslen.LIBCMT ref: 00AA463F
_wcslen.LIBCMT ref: 00AA46A7

Part of subcall function 00A4F9F2: _wcslen.LIBCMT ref: 00A4F9FD

GetDriveTypeW.KERNEL32(?,00AF6BF0,00000061), ref: 00AA4743

Strings

removable, xrefs: 00AA45EA, 00AA45EF
network, xrefs: 00AA469D, 00AA46A2
fixed, xrefs: 00AA4635, 00AA463A
all, xrefs: 00AA4531, 00AA4536
ramdisk, xrefs: 00AA46F1
unknown, xrefs: 00AA4708
cdrom, xrefs: 00AA458F, 00AA4594

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 8aa18f13cf8524f2104134d9eb843cfdc3644b687d4b3bdb5db1334c37f7773a
Instruction ID: 089b1b7c9e55243e3b3022d714e7ea6663f279d8190ec9924ea1f4f5c868b6e2
Opcode Fuzzy Hash: 8aa18f13cf8524f2104134d9eb843cfdc3644b687d4b3bdb5db1334c37f7773a
Instruction Fuzzy Hash: 49B1DB71A083029FC710DF28C991A6AB7E5AFEA720F50491DF496C72D1E7B0D845CBA2

Function 00AC911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A49BB2

DragQueryPoint.SHELL32(?,?), ref: 00AC9147

Part of subcall function 00AC7674: ClientToScreen.USER32(?,?), ref: 00AC769A
Part of subcall function 00AC7674: GetWindowRect.USER32(?,?), ref: 00AC7710
Part of subcall function 00AC7674: PtInRect.USER32(?,?,00AC8B89), ref: 00AC7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00AC91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00AC91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00AC91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00AC9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00AC923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00AC9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00AC9277
DragFinish.SHELL32(?), ref: 00AC927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00AC9371

Strings

@GUI_DROPID, xrefs: 00AC929E
@GUI_DRAGFILE, xrefs: 00AC9320
0}, xrefs: 00AC92BB
@GUI_DRAGID, xrefs: 00AC92E9

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: 0}$@GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-2832047665
Opcode ID: be75d647484f5953243c67a27127f4f5fbc283af8523d590a4da6467fe789aa8
Instruction ID: ebe3d902a55a2a766de162c6d4fe867987bca43a5e153a9103fec4d462fe48c2
Opcode Fuzzy Hash: be75d647484f5953243c67a27127f4f5fbc283af8523d590a4da6467fe789aa8
Instruction Fuzzy Hash: B7616971108301AFC705DFA4DD89EAFBBE8EF98750F00491EF596962A0DB709A49CB52

Function 00A6DA5D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00A6DAA1

Part of subcall function 00A6D63C: _free.LIBCMT ref: 00A6D659
Part of subcall function 00A6D63C: _free.LIBCMT ref: 00A6D66B
Part of subcall function 00A6D63C: _free.LIBCMT ref: 00A6D67D
Part of subcall function 00A6D63C: _free.LIBCMT ref: 00A6D68F
Part of subcall function 00A6D63C: _free.LIBCMT ref: 00A6D6A1
Part of subcall function 00A6D63C: _free.LIBCMT ref: 00A6D6B3
Part of subcall function 00A6D63C: _free.LIBCMT ref: 00A6D6C5
Part of subcall function 00A6D63C: _free.LIBCMT ref: 00A6D6D7
Part of subcall function 00A6D63C: _free.LIBCMT ref: 00A6D6E9
Part of subcall function 00A6D63C: _free.LIBCMT ref: 00A6D6FB
Part of subcall function 00A6D63C: _free.LIBCMT ref: 00A6D70D
Part of subcall function 00A6D63C: _free.LIBCMT ref: 00A6D71F
Part of subcall function 00A6D63C: _free.LIBCMT ref: 00A6D731

_free.LIBCMT ref: 00A6DA96

Part of subcall function 00A629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A6D7D1,00000000,00000000,00000000,00000000,?,00A6D7F8,00000000,00000007,00000000,?,00A6DBF5,00000000), ref: 00A629DE
Part of subcall function 00A629C8: GetLastError.KERNEL32(00000000,?,00A6D7D1,00000000,00000000,00000000,00000000,?,00A6D7F8,00000000,00000007,00000000,?,00A6DBF5,00000000,00000000), ref: 00A629F0

_free.LIBCMT ref: 00A6DAB8
_free.LIBCMT ref: 00A6DACD
_free.LIBCMT ref: 00A6DAD8
_free.LIBCMT ref: 00A6DAFA
_free.LIBCMT ref: 00A6DB0D
_free.LIBCMT ref: 00A6DB1B
_free.LIBCMT ref: 00A6DB26
_free.LIBCMT ref: 00A6DB5E
_free.LIBCMT ref: 00A6DB65
_free.LIBCMT ref: 00A6DB82
_free.LIBCMT ref: 00A6DB9A

Strings

0m, xrefs: 00A6DA62

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: 0m
API String ID: 161543041-3665595038
Opcode ID: 9db3ba5dbf89d52e90be0857aa22687eeb7c165e4303580914063e480c38dad0
Instruction ID: 385263050b5693f0523638d71c493e5363f5c9237c7721f38530787da7df208c
Opcode Fuzzy Hash: 9db3ba5dbf89d52e90be0857aa22687eeb7c165e4303580914063e480c38dad0
Instruction Fuzzy Hash: A6314832B046059FEB25AB79E945B6AB7F9FF903A0F154429E449D7191DA31AC808B20

Function 00AB3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00ACCC08), ref: 00AB40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00AB40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00ACCC08), ref: 00AB40F2
FreeLibrary.KERNEL32(00000000,?,00ACCC08), ref: 00AB413E
StringFromGUID2.OLE32(?,?,00000028,?,00ACCC08), ref: 00AB41A8
SysFreeString.OLEAUT32(00000009), ref: 00AB4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00AB42C8
SysFreeString.OLEAUT32(?), ref: 00AB42F2

Strings

kernel32.dll, xrefs: 00AB40B6
GetModuleHandleExW, xrefs: 00AB40C7

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: f7f3032b240118854941609bec46e852eaadb074a9b1be3dfeac3482769d2efd
Instruction ID: e93dcd9f93f396c71f20d7001256a5c28844e335272b0a9edd89478a915605f7
Opcode Fuzzy Hash: f7f3032b240118854941609bec46e852eaadb074a9b1be3dfeac3482769d2efd
Instruction Fuzzy Hash: CB123A75A00119EFDB14DF94C884EAEBBB9FF49314F248098F9099B252D731ED46CBA0

Function 00A3326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00B01990), ref: 00A72F8D
GetMenuItemCount.USER32(00B01990), ref: 00A7303D
GetCursorPos.USER32(?), ref: 00A73081
SetForegroundWindow.USER32(00000000), ref: 00A7308A
TrackPopupMenuEx.USER32(00B01990,00000000,?,00000000,00000000,00000000), ref: 00A7309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A730A9

Strings

0, xrefs: 00A3327D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 18ea364bc7eb710e048c92cfc1d077f1625cf59a64a81d81fcd9161c438ed4d5
Instruction ID: 74c4b1ed8e1628f5ab87b301b91a88f6bb9855caa931b6c9d2c1846b5242802b
Opcode Fuzzy Hash: 18ea364bc7eb710e048c92cfc1d077f1625cf59a64a81d81fcd9161c438ed4d5
Instruction Fuzzy Hash: AA71D471644205BFEF258F64DD49FAABF68FF05364F20C216F5286A1E1C7B1A920DB90

Function 00AC6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00AC6DEB

Part of subcall function 00A36B57: _wcslen.LIBCMT ref: 00A36B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00AC6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00AC6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AC6E94
DestroyWindow.USER32(?), ref: 00AC6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A30000,00000000), ref: 00AC6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AC6EFD
GetDesktopWindow.USER32 ref: 00AC6F16
GetWindowRect.USER32(00000000), ref: 00AC6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00AC6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00AC6F4D

Part of subcall function 00A49944: GetWindowLongW.USER32(?,000000EB), ref: 00A49952

Strings

tooltips_class32, xrefs: 00AC6E58, 00AC6EDD
0, xrefs: 00AC6D98

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 7e712aaa30653a43430c76d91eee7f33b7870dc05d007fff8027887b41c16cdf
Instruction ID: ae791519d1c051d857dcd368a2e2b9da175b0a5495eb63860ddd05675b4469dd
Opcode Fuzzy Hash: 7e712aaa30653a43430c76d91eee7f33b7870dc05d007fff8027887b41c16cdf
Instruction Fuzzy Hash: 97715374104244AFDB21CF28DD48FAABBE9FF89314F05081EF98997261DB74E906DB52

Function 00AAC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AAC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00AAC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00AAC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00AAC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00AAC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00AAC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AAC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00AAC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00AAC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00AAC5F0
InternetCloseHandle.WININET(00000000), ref: 00AAC5FB

Strings

, xrefs: 00AAC575

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: c7a76df246a90e29ba07c0788e50db0bbf8536f7edecec9da3ff4871706830af
Instruction ID: bd0e2118308d85ce80ee4afd465464612b6ec2b352aec4f98715afdd82e74a5e
Opcode Fuzzy Hash: c7a76df246a90e29ba07c0788e50db0bbf8536f7edecec9da3ff4871706830af
Instruction Fuzzy Hash: 1C514BB0940305BFEB21DFA4C948AAA7BFCFF09764F00441AF94A97690DB34E945DB60

Function 00AC856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00AC8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00AC85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00AC85AD
CloseHandle.KERNEL32(00000000), ref: 00AC85BA
GlobalLock.KERNEL32(00000000), ref: 00AC85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00AC85D7
GlobalUnlock.KERNEL32(00000000), ref: 00AC85E0
CloseHandle.KERNEL32(00000000), ref: 00AC85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00AC85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00ACFC38,?), ref: 00AC8611
GlobalFree.KERNEL32(00000000), ref: 00AC8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00AC8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00AC8671
DeleteObject.GDI32(00000000), ref: 00AC8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00AC86AF

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 39db77610f7564a9fb67a73c7e7133a4ccddb57d2690b2c29855d98c6100a502
Instruction ID: 884b6d6bbf4a0d8935fc91878c1a7875c881fdb8ad38ed68a8a4528b734d812e
Opcode Fuzzy Hash: 39db77610f7564a9fb67a73c7e7133a4ccddb57d2690b2c29855d98c6100a502
Instruction Fuzzy Hash: 39412B75600208AFDB11DFA5DC48EAABBBCFF89721F164058F919E7260DB749902CB20

Function 00AA14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00AA1502
VariantCopy.OLEAUT32(?,?), ref: 00AA150B
VariantClear.OLEAUT32(?), ref: 00AA1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00AA15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00AA1657
VariantInit.OLEAUT32(?), ref: 00AA1708
SysFreeString.OLEAUT32(?), ref: 00AA178C
VariantClear.OLEAUT32(?), ref: 00AA17D8
VariantClear.OLEAUT32(?), ref: 00AA17E7
VariantInit.OLEAUT32(00000000), ref: 00AA1823

Strings

Default, xrefs: 00AA16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00AA1625

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 11eed04afc336e3326b31ba5571c36643fd627d7dc86c3f3ed46c25a8b100449
Instruction ID: 5dccc04450d062457926f17bf386138675b562a35689d362a44ad07c200ac9d9
Opcode Fuzzy Hash: 11eed04afc336e3326b31ba5571c36643fd627d7dc86c3f3ed46c25a8b100449
Instruction Fuzzy Hash: F1D1CC31A00616EBDB04AFA5D999B79B7B5BF46700F14845AF44AAB1C0DB30EC41DBA2

Function 00ABB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

Part of subcall function 00ABC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ABB6AE,?,?), ref: 00ABC9B5
Part of subcall function 00ABC998: _wcslen.LIBCMT ref: 00ABC9F1
Part of subcall function 00ABC998: _wcslen.LIBCMT ref: 00ABCA68
Part of subcall function 00ABC998: _wcslen.LIBCMT ref: 00ABCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ABB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00ABB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00ABB80A
RegCloseKey.ADVAPI32(?), ref: 00ABB87E
RegCloseKey.ADVAPI32(?), ref: 00ABB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00ABB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00ABB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00ABB922
FreeLibrary.KERNEL32(00000000), ref: 00ABB983
RegCloseKey.ADVAPI32(00000000), ref: 00ABB994

Strings

advapi32.dll, xrefs: 00ABB8ED
RegDeleteKeyExW, xrefs: 00ABB8FE

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 5aaadb2247ab2d4ac7511c06ab54d5991026fc68c1339dc3114b85b34ec25877
Instruction ID: 889bd60b8af700e606e35e5a70e0d4ecf2bf4810b7ddc657695ea835bb2424e9
Opcode Fuzzy Hash: 5aaadb2247ab2d4ac7511c06ab54d5991026fc68c1339dc3114b85b34ec25877
Instruction Fuzzy Hash: 66C18C34218201AFD714DF54C494F6ABBE9BF84318F14855CF49A9B2A3CBB1EC46CBA1

Function 00AB255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AB25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00AB25E8
CreateCompatibleDC.GDI32(?), ref: 00AB25F4
SelectObject.GDI32(00000000,?), ref: 00AB2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00AB266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00AB26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00AB26D0
SelectObject.GDI32(?,?), ref: 00AB26D8
DeleteObject.GDI32(?), ref: 00AB26E1
DeleteDC.GDI32(?), ref: 00AB26E8
ReleaseDC.USER32(00000000,?), ref: 00AB26F3

Strings

(, xrefs: 00AB268D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 9917bbc8d2a173d48ccf70c16cdf7d0e401562c09b763232b9153c53ca6e6a9d
Instruction ID: aea815c7803c8916c1510ed08edde7681754ff1a32f08e3f2461602fe559e277
Opcode Fuzzy Hash: 9917bbc8d2a173d48ccf70c16cdf7d0e401562c09b763232b9153c53ca6e6a9d
Instruction Fuzzy Hash: 3961E175D00219EFCF14CFE8D984EAEBBB9FF48310F24852AE959A7251E770A9418F50

Function 00A9365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A9369C
_wcslen.LIBCMT ref: 00A936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A93797
GetClassNameW.USER32(?,?,00000400), ref: 00A9380C
GetDlgCtrlID.USER32(?), ref: 00A9385D
GetWindowRect.USER32(?,?), ref: 00A93882
GetParent.USER32(?), ref: 00A938A0
ScreenToClient.USER32(00000000), ref: 00A938A7
GetClassNameW.USER32(?,?,00000100), ref: 00A93921
GetWindowTextW.USER32(?,?,00000400), ref: 00A9395D

Strings

%s%u, xrefs: 00A93734

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: b0703a0df167b49feeacbf887ca95b94f82eceb5954f44267ab701b8e3c9df99
Instruction ID: 1a213f9edd759f781967a7773b96ed033fa9a5e30198e38e3367f051e5abd59a
Opcode Fuzzy Hash: b0703a0df167b49feeacbf887ca95b94f82eceb5954f44267ab701b8e3c9df99
Instruction Fuzzy Hash: 2691AE72304606AFDF19DF64C995FAAB7F8FF44350F008629F999C6190DB30AA46CB91

Function 00A94954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00A94994
GetWindowTextW.USER32(?,?,00000400), ref: 00A949DA
_wcslen.LIBCMT ref: 00A949EB
CharUpperBuffW.USER32(?,00000000), ref: 00A949F7
_wcsstr.LIBVCRUNTIME ref: 00A94A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00A94A64
GetWindowTextW.USER32(?,?,00000400), ref: 00A94A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00A94AE6
GetClassNameW.USER32(?,?,00000400), ref: 00A94B20
GetWindowRect.USER32(?,?), ref: 00A94B8B

Strings

ThumbnailClass, xrefs: 00A94A6F, 00A94AF1

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f364ca37972090b64569069987aba521fd9ae70dfd71ac8dcecf4d0dacecddeb
Instruction ID: 61e58b67718ea8a5878501e21f346efa1da9ebae671ad168a655712f3c93c2c5
Opcode Fuzzy Hash: f364ca37972090b64569069987aba521fd9ae70dfd71ac8dcecf4d0dacecddeb
Instruction Fuzzy Hash: E991AF712082059FDF04DF54CA85FAA77E8FF88354F048469FD899A196EB30ED46CBA1

Function 00A9BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00B01990,000000FF,00000000,00000030), ref: 00A9BFAC
SetMenuItemInfoW.USER32(00B01990,00000004,00000000,00000030), ref: 00A9BFE1
Sleep.KERNEL32(000001F4), ref: 00A9BFF3
GetMenuItemCount.USER32(?), ref: 00A9C039
GetMenuItemID.USER32(?,00000000), ref: 00A9C056
GetMenuItemID.USER32(?,-00000001), ref: 00A9C082
GetMenuItemID.USER32(?,?), ref: 00A9C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A9C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A9C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A9C145

Strings

0, xrefs: 00A9BF3D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: c9a80a8fa2f2f4995b6ba758fb07b4384f692b6c935bb63fdb0e3a32a5986f7d
Instruction ID: 284dafd8be9c8bf5381c8fe91df33e5bb21f910672cebee9404fbf225fb0453f
Opcode Fuzzy Hash: c9a80a8fa2f2f4995b6ba758fb07b4384f692b6c935bb63fdb0e3a32a5986f7d
Instruction Fuzzy Hash: 40619FB0A0064AAFDF15CFA8DE88EEE7BF8EB05364F104155F815A7292C735AD45CB60

Function 00ABCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00ABCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00ABCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00ABCD48

Part of subcall function 00ABCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00ABCCAA
Part of subcall function 00ABCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00ABCCBD
Part of subcall function 00ABCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00ABCCCF
Part of subcall function 00ABCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00ABCD05
Part of subcall function 00ABCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00ABCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00ABCCF3

Strings

advapi32.dll, xrefs: 00ABCCB8
RegDeleteKeyExW, xrefs: 00ABCCC9

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 49cad26a5080f9c520bc89acead4e30f36fcd1e0b5a5e216389d5fa2dd3124d5
Instruction ID: d15d10a468772f238707f58827cbf2dda0a4a581cad2df665684a88b5cbf1392
Opcode Fuzzy Hash: 49cad26a5080f9c520bc89acead4e30f36fcd1e0b5a5e216389d5fa2dd3124d5
Instruction Fuzzy Hash: C3316075901129BBD720CB95DC88EFFBB7CEF56760F010165F909E3141D7349A469AA0

Function 00AA3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AA3D40
_wcslen.LIBCMT ref: 00AA3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00AA3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00AA3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00AA3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00AA3E55
CloseHandle.KERNEL32(00000000), ref: 00AA3E60
CloseHandle.KERNEL32(00000000), ref: 00AA3E6B

Strings

\, xrefs: 00AA3D77
:, xrefs: 00AA3D82
\??\%s, xrefs: 00AA3D5B

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b2ceb90e3df63902d055369a8e95aca9b030b2096263409dcf7e0ffaa4679865
Instruction ID: 8e6d033678110d05981940a63d78ca4cedc31e22e71faac1c2ce3028841f451e
Opcode Fuzzy Hash: b2ceb90e3df63902d055369a8e95aca9b030b2096263409dcf7e0ffaa4679865
Instruction Fuzzy Hash: 9831CF76900209ABDB21DBA0DC49FEF37BCEF89750F1040B6FA09D61A0EB7497458B24

Function 00A9E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A9E6B4

Part of subcall function 00A4E551: timeGetTime.WINMM(?,?,00A9E6D4), ref: 00A4E555

Sleep.KERNEL32(0000000A), ref: 00A9E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00A9E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A9E727
SetActiveWindow.USER32 ref: 00A9E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A9E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A9E773
Sleep.KERNEL32(000000FA), ref: 00A9E77E
IsWindow.USER32 ref: 00A9E78A
EndDialog.USER32(00000000), ref: 00A9E79B

Strings

BUTTON, xrefs: 00A9E719

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 5510dd64523bcf34d280fc27eae1c7ec219f604320588831b1bab890dc9ce406
Instruction ID: 2012eca50242185ab48fd865ebb3717b1dff20381dc52e52d0ba49bc16ab5fee
Opcode Fuzzy Hash: 5510dd64523bcf34d280fc27eae1c7ec219f604320588831b1bab890dc9ce406
Instruction Fuzzy Hash: 14218CB0300205BFEF00EFA4ED8DE263BA9FB64758B151824F509825B2DF72AC558B25

Function 00A9E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A9EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A9EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A9EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A9EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A9EAA7

Strings

status PlayMe mode, xrefs: 00A9EA58
close PlayMe, xrefs: 00A9EA6E, 00A9EA9B
alias PlayMe, xrefs: 00A9EA36
play PlayMe, xrefs: 00A9EAA2
play PlayMe wait, xrefs: 00A9EA91
open , xrefs: 00A9EA0C

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 4057da5bc445ad8e095287f18ac2b20575fa02e931095d8d9f7ffebb23d9a3a8
Instruction ID: 7361cdc2725cff95ba365290a26858030acd703e9df9df81503a1a5f72ed22e2
Opcode Fuzzy Hash: 4057da5bc445ad8e095287f18ac2b20575fa02e931095d8d9f7ffebb23d9a3a8
Instruction Fuzzy Hash: 99112131A9025D79DB20E7A2DD8AEFF6ABCFBD5B40F400829B511A60D1EAB05945C6B0

Function 00A99F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A9A012
SetKeyboardState.USER32(?), ref: 00A9A07D
GetAsyncKeyState.USER32(000000A0), ref: 00A9A09D
GetKeyState.USER32(000000A0), ref: 00A9A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00A9A0E3
GetKeyState.USER32(000000A1), ref: 00A9A0F4
GetAsyncKeyState.USER32(00000011), ref: 00A9A120
GetKeyState.USER32(00000011), ref: 00A9A12E
GetAsyncKeyState.USER32(00000012), ref: 00A9A157
GetKeyState.USER32(00000012), ref: 00A9A165
GetAsyncKeyState.USER32(0000005B), ref: 00A9A18E
GetKeyState.USER32(0000005B), ref: 00A9A19C

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0ac5cc81bcafe2f01b41936818ac37c93f708d5d3f25ef14aaecbdef649e046a
Instruction ID: 4dc656e18ed6c21edf65590ed11768bde3aad7018f2501c91d60d66fdeab777c
Opcode Fuzzy Hash: 0ac5cc81bcafe2f01b41936818ac37c93f708d5d3f25ef14aaecbdef649e046a
Instruction Fuzzy Hash: DD51B920B0478829FF35DBA489117EBFFF49F21384F08859ED5C6571C2DA549A4CC7A2

Function 00A95CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A95CE2
GetWindowRect.USER32(00000000,?), ref: 00A95CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00A95D59
GetDlgItem.USER32(?,00000002), ref: 00A95D69
GetWindowRect.USER32(00000000,?), ref: 00A95D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00A95DCF
GetDlgItem.USER32(?,000003E9), ref: 00A95DDD
GetWindowRect.USER32(00000000,?), ref: 00A95DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00A95E31
GetDlgItem.USER32(?,000003EA), ref: 00A95E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A95E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00A95E67

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7336dc9fe1278275a99f978122e030e2cd533930f56f913b4ea3fc40a90b9516
Instruction ID: 9e9df1251d4eb0614f6e992e2e38c213085709ae9657521a4b3c4173d5824458
Opcode Fuzzy Hash: 7336dc9fe1278275a99f978122e030e2cd533930f56f913b4ea3fc40a90b9516
Instruction Fuzzy Hash: F751FCB1F00605AFDF19CFA8DD8AAAEBBF5EB48310F158129F519E6290D7709E05CB50

Function 00A48BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A48BE8,?,00000000,?,?,?,?,00A48BBA,00000000,?), ref: 00A48FC5

DestroyWindow.USER32(?), ref: 00A48C81
KillTimer.USER32(00000000,?,?,?,?,00A48BBA,00000000,?), ref: 00A48D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00A86973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00A48BBA,00000000,?), ref: 00A869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00A48BBA,00000000,?), ref: 00A869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00A48BBA,00000000), ref: 00A869D4
DeleteObject.GDI32(00000000), ref: 00A869E6

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 5a83ffb2f15a4f7a0be20947f8b002c738a6c07faea445e68daa194b3e75338f
Instruction ID: 1d94cc2c014f2570bd1d12eb89826c2b1ab85fbfa19e9f5ddc0a97b59a1f1514
Opcode Fuzzy Hash: 5a83ffb2f15a4f7a0be20947f8b002c738a6c07faea445e68daa194b3e75338f
Instruction Fuzzy Hash: 21616E35502710DFDB29DF18EA88B29B7F1FB90316F14491CE0469B5A0CB79A992DF90

Function 00A49838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00A49944: GetWindowLongW.USER32(?,000000EB), ref: 00A49952

GetSysColor.USER32(0000000F), ref: 00A49862

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 301869799cfe57846c8a94b8b6eeebf218c699c2355ed1ec453949d79a0f21c6
Instruction ID: 8b7225886c81104dd22ee331de3820b87d487448f50e1c1e0de89693330e2c01
Opcode Fuzzy Hash: 301869799cfe57846c8a94b8b6eeebf218c699c2355ed1ec453949d79a0f21c6
Instruction Fuzzy Hash: 8341A035104644AFDB209F7C9C88FBB3BA5AB86331F294615FAA6871E2D731DC52DB10

Function 00AA3388 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00AA33CF

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00AA33F0

Strings

^ ERROR , xrefs: 00AA349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00AA3504
"%s" (%d) : ==> %s:, xrefs: 00AA3522
Error: , xrefs: 00AA34D1
Line %d (File "%s"):, xrefs: 00AA3443, 00AA345C
Incorrect parameters to object property !, xrefs: 00AA34AB
G0}, xrefs: 00AA3388

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$G0}$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-123536771
Opcode ID: ad9018d7228de50431eef3c837fa430e23f3452ffbd3b539e460c48d7814bdc3
Instruction ID: 0a001ef06b8eaa8eb7df581583c98f2c5f418ac7335da19ff83f07df971cc0dd
Opcode Fuzzy Hash: ad9018d7228de50431eef3c837fa430e23f3452ffbd3b539e460c48d7814bdc3
Instruction Fuzzy Hash: CA518D72940209BADF15EBE4CE46EEEB7B8AF14340F108465F505730A2EB712F58DB61

Function 00A996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00A7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00A99717
LoadStringW.USER32(00000000,?,00A7F7F8,00000001), ref: 00A99720

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00A7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00A99742
LoadStringW.USER32(00000000,?,00A7F7F8,00000001), ref: 00A99745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00A99866

Strings

Error: , xrefs: 00A9981D
Line %d (File "%s"):, xrefs: 00A9978F
^ ERROR, xrefs: 00A997FB
%s (%d) : ==> %s: %s %s, xrefs: 00A9984A
Line %d:, xrefs: 00A997A0

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 9b24a8f3b4e7168ea3db2952566e44c3d6aeba02c81baab47549f76a51a1cc43
Instruction ID: 220c32a751cf676bd61428b1eaa060341063ce3d51be21993004d3b58769c81e
Opcode Fuzzy Hash: 9b24a8f3b4e7168ea3db2952566e44c3d6aeba02c81baab47549f76a51a1cc43
Instruction Fuzzy Hash: A4413872904209BACF04EBE4CF86EEFB7B8AF55340F104429F60576092EB656F49CB61

Function 00A906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A36B57: _wcslen.LIBCMT ref: 00A36B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A90804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00A9082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A90837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A9083C

Strings

SOFTWARE\Classes\, xrefs: 00A9070E
\IPC$, xrefs: 00A90784
\CLSID, xrefs: 00A90724

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 70b5020873bad62e022f1236e3ebe0fc53add84e8e21004cd77c21c1ee7a4c85
Instruction ID: d149678c219d6df8389a6e96b11c553a5461a599a59f0a0d0a043b763da2cdf3
Opcode Fuzzy Hash: 70b5020873bad62e022f1236e3ebe0fc53add84e8e21004cd77c21c1ee7a4c85
Instruction Fuzzy Hash: 34411572D10229AFCF15EBA4DD85DEEB7B8BF44350F058129F905A7160EB709E04CBA0

Function 00AC3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00AC403B
CreateCompatibleDC.GDI32(00000000), ref: 00AC4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00AC4055
SelectObject.GDI32(00000000,00000000), ref: 00AC405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00AC4068
DeleteDC.GDI32(00000000), ref: 00AC4072
GetWindowLongW.USER32(?,000000EC), ref: 00AC407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00AC4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00AC409E

Strings

static, xrefs: 00AC3FD3

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: d5d6bcece558f8ccb503e15352ead9645845713d7cbd0ced16a9d7fc80ddfa7d
Instruction ID: b84f99c9471700b0c0867b5a606d13bb666c196be317d705547f3fa2e58d69bd
Opcode Fuzzy Hash: d5d6bcece558f8ccb503e15352ead9645845713d7cbd0ced16a9d7fc80ddfa7d
Instruction Fuzzy Hash: ED315C32541219BBDF219FA4CC49FDA3BA8FF0D320F120215FA19A61A0C775D811DB94

Function 00AB3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AB3C5C
CoInitialize.OLE32(00000000), ref: 00AB3C8A
CoUninitialize.OLE32 ref: 00AB3C94
_wcslen.LIBCMT ref: 00AB3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00AB3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00AB3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00AB3F0E
CoGetObject.OLE32(?,00000000,00ACFB98,?), ref: 00AB3F2D
SetErrorMode.KERNEL32(00000000), ref: 00AB3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00AB3FC4
VariantClear.OLEAUT32(?), ref: 00AB3FD8

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 60c49094e5c93133fdb9cfa33cd76424e9411c3e24a4c77691f844ec15f7197e
Instruction ID: 3c4671c112d1b3e4883d38c75061d409a1b435d4f2bdd817de792a7c7eb6f575
Opcode Fuzzy Hash: 60c49094e5c93133fdb9cfa33cd76424e9411c3e24a4c77691f844ec15f7197e
Instruction Fuzzy Hash: 0CC147726083059FCB00DF68C98496BBBE9FF89744F14491DF98A9B212DB31EE05CB52

Function 00AA7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00AA7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00AA7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00AA7BA3
CoCreateInstance.OLE32(00ACFD08,00000000,00000001,00AF6E6C,?), ref: 00AA7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00AA7C74
CoTaskMemFree.OLE32(?,?), ref: 00AA7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00AA7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00AA7D7A
CoTaskMemFree.OLE32(00000000), ref: 00AA7D81
CoTaskMemFree.OLE32(00000000), ref: 00AA7DD6
CoUninitialize.OLE32 ref: 00AA7DDC

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 65a35e72f3209e5fc485e5b07c3bee74203aec4e82f6450c2b2f303fd9991a93
Instruction ID: 32de1eac0a4fec0c861bd6cfaa1f93f0c3211dad0ccbf56c3691445751e261ec
Opcode Fuzzy Hash: 65a35e72f3209e5fc485e5b07c3bee74203aec4e82f6450c2b2f303fd9991a93
Instruction Fuzzy Hash: 8AC11B75A04209AFCB14DFA4C984DAEBBF9FF49314F148499F81A9B261D730ED45CB90

Function 00AC541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00AC5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AC5515
CharNextW.USER32(00000158), ref: 00AC5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00AC5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00AC559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AC55AC

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 80830d40721e3dbadbe7204db1846fdf39c2d09b2bf4cec4e9ee7141dafe9c87
Instruction ID: 390708842b042ec51289c1a5a087760735ed08d66adba1cfacd083105bf29cc1
Opcode Fuzzy Hash: 80830d40721e3dbadbe7204db1846fdf39c2d09b2bf4cec4e9ee7141dafe9c87
Instruction Fuzzy Hash: 96617E30D00608AFDF14CFA4CD84EFE7BB9EB05720F128549F525AA291D774AAC1DB60

Function 00A8FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A8FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00A8FB08
VariantInit.OLEAUT32(?), ref: 00A8FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A8FB3A
VariantCopy.OLEAUT32(?,?), ref: 00A8FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A8FBA1
VariantClear.OLEAUT32(?), ref: 00A8FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00A8FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A8FBCC
VariantClear.OLEAUT32(?), ref: 00A8FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A8FBE9

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 3c8ed0bc1b3d1118b2084cb8cb1d344789b2f3422870c7f3bb964fd9820ea0eb
Instruction ID: 2f800c84fd1dde3444496dde0ba770c588461bc664afe06968f45dcfac4b5041
Opcode Fuzzy Hash: 3c8ed0bc1b3d1118b2084cb8cb1d344789b2f3422870c7f3bb964fd9820ea0eb
Instruction Fuzzy Hash: AF413235A0021ADFCF04EFA8D958DADBBB9FF48354F018065F956A7261DB30A946CF90

Function 00A99C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A99CA1
GetAsyncKeyState.USER32(000000A0), ref: 00A99D22
GetKeyState.USER32(000000A0), ref: 00A99D3D
GetAsyncKeyState.USER32(000000A1), ref: 00A99D57
GetKeyState.USER32(000000A1), ref: 00A99D6C
GetAsyncKeyState.USER32(00000011), ref: 00A99D84
GetKeyState.USER32(00000011), ref: 00A99D96
GetAsyncKeyState.USER32(00000012), ref: 00A99DAE
GetKeyState.USER32(00000012), ref: 00A99DC0
GetAsyncKeyState.USER32(0000005B), ref: 00A99DD8
GetKeyState.USER32(0000005B), ref: 00A99DEA

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cee675aa4a0a4211ae95f6800b1daca8711cb0b35280d0d3c53f36ff543a2326
Instruction ID: 21a428a93b53e1c6b019c47abe3e97bc4cc6b0178d27abb81543b8894050804a
Opcode Fuzzy Hash: cee675aa4a0a4211ae95f6800b1daca8711cb0b35280d0d3c53f36ff543a2326
Instruction Fuzzy Hash: A541A6347047C97DFF3197A888447B7BEE06F12354F08805EDAC65A5C2EBA599C8C7A2

Function 00AB055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00AB05BC
inet_addr.WSOCK32(?), ref: 00AB061C
gethostbyname.WSOCK32(?), ref: 00AB0628
IcmpCreateFile.IPHLPAPI ref: 00AB0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00AB06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00AB06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00AB07B9
WSACleanup.WSOCK32 ref: 00AB07BF

Strings

Ping, xrefs: 00AB0676

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 18b82eeec666944bfd01cb443c68c9c002a151a6e6afcfdcdf8d155f4ae1b1d7
Instruction ID: 2dbfb28a1fd0b00318501770042fd145e737dfcaff2d79ab144f2fc4276bd9d8
Opcode Fuzzy Hash: 18b82eeec666944bfd01cb443c68c9c002a151a6e6afcfdcdf8d155f4ae1b1d7
Instruction Fuzzy Hash: 69919D356046019FD720CF15C988F5BBBE8EF84318F1585A9F46A8B6A2CB70EC81CF91

Function 00AB8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00AB8CF3

Part of subcall function 00A98E54: _wcslen.LIBCMT ref: 00A98E77

_wcslen.LIBCMT ref: 00AB8D4E
_wcslen.LIBCMT ref: 00AB8D9C
_wcslen.LIBCMT ref: 00AB8DDC
_wcslen.LIBCMT ref: 00AB8E6E

Strings

winapi, xrefs: 00AB8D96, 00AB8D9B
none, xrefs: 00AB8E65, 00AB8E6A
cdecl, xrefs: 00AB8D48, 00AB8D4D
stdcall, xrefs: 00AB8DD6, 00AB8DDB

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 1b0601c8073d2535a4e8d16f07b2ad27ab971992b323eac077755cbb57953e4d
Instruction ID: 4f4009614954e0686bbb4efd125d38bc12e7386a2810bbd88f5e53da7a1a61fb
Opcode Fuzzy Hash: 1b0601c8073d2535a4e8d16f07b2ad27ab971992b323eac077755cbb57953e4d
Instruction Fuzzy Hash: F3519131A041169BCF14DF6CC9519FEB7ADBF64724B20422AF926E7286DB39DD40C790

Function 00AB372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00AB3774
CoUninitialize.OLE32 ref: 00AB377F
CoCreateInstance.OLE32(?,00000000,00000017,00ACFB78,?), ref: 00AB37D9
IIDFromString.OLE32(?,?), ref: 00AB384C
VariantInit.OLEAUT32(?), ref: 00AB38E4
VariantClear.OLEAUT32(?), ref: 00AB3936

Strings

NULL Pointer assignment, xrefs: 00AB381E
Failed to create object, xrefs: 00AB37E4, 00AB389A
Invalid parameter, xrefs: 00AB3865

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 2b2317509830027d59e5f37824d73679ec7f55717115f15e2b82d782406f71b3
Instruction ID: 2c06cca4356f4f2fde85dc5e24e2ed7762dfaa988d473cc1df286e6be7408f00
Opcode Fuzzy Hash: 2b2317509830027d59e5f37824d73679ec7f55717115f15e2b82d782406f71b3
Instruction Fuzzy Hash: E8619372608311AFDB10DF94C949FAAB7E8EF45710F10481DF58597292D770EE49CB92

Function 00A9B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A9B5FC
_wcslen.LIBCMT ref: 00A9B608
_wcslen.LIBCMT ref: 00A9B64D
_wcslen.LIBCMT ref: 00A9B68C
_wcslen.LIBCMT ref: 00A9B6C7

Strings

APPEND, xrefs: 00A9B6C1, 00A9B6C6
EXISTS, xrefs: 00A9B686, 00A9B68B
REMOVE, xrefs: 00A9B602, 00A9B607
KEYS, xrefs: 00A9B647, 00A9B64C

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: b92e8e07ef8314885e787a638ba985278fce98de08eab4a9750abfa735751f24
Instruction ID: ffdee7bbd765c0452fe8bf7b0bd62cfb7b25d5809358e18ec22c4bfdcba72a92
Opcode Fuzzy Hash: b92e8e07ef8314885e787a638ba985278fce98de08eab4a9750abfa735751f24
Instruction Fuzzy Hash: B241E632B110269BCF106FBD9E905BE77F5BFA0754B244629E621DB284E731ED81C7A0

Function 00AA5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AA53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00AA5416
GetLastError.KERNEL32 ref: 00AA5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00AA54A7

Strings

READONLY, xrefs: 00AA5452
NOTREADY, xrefs: 00AA544B
INVALID, xrefs: 00AA5459
UNKNOWN, xrefs: 00AA5444
READY, xrefs: 00AA5460, 00AA5468

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 692bc799464914acaab98666fa0e614bab054d30d582ebcef52b9b7279fe3f05
Instruction ID: 5f3e559fb32434546080149323743ca86eff0a60b06aa2c1deb7e14e1aca8931
Opcode Fuzzy Hash: 692bc799464914acaab98666fa0e614bab054d30d582ebcef52b9b7279fe3f05
Instruction Fuzzy Hash: FF31B035E006089FDB10DFB8C584EAABBB5EF5A305F188069F506DB292D771DD86CB90

Function 00AC3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00AC3C79
SetMenu.USER32(?,00000000), ref: 00AC3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AC3D10
IsMenu.USER32(?), ref: 00AC3D24
CreatePopupMenu.USER32 ref: 00AC3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AC3D5B
DrawMenuBar.USER32 ref: 00AC3D63

Strings

F, xrefs: 00AC3D4E
0, xrefs: 00AC3C54

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 93b41e838e847ff993d87304c65c8f508e59e7dea9cc004716cb107e255705f9
Instruction ID: e4cdf9fe3cea39e5a3772a681bbb638d1a46ed850ca1e35bff3d666d6c8ad3eb
Opcode Fuzzy Hash: 93b41e838e847ff993d87304c65c8f508e59e7dea9cc004716cb107e255705f9
Instruction Fuzzy Hash: 9041367AA01209EFDF14CFA4D844FAA7BB5FF49350F15442DE94AA7360D730AA11CB94

Function 00A91EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

Part of subcall function 00A93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A93CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00A91F64
GetDlgCtrlID.USER32 ref: 00A91F6F
GetParent.USER32 ref: 00A91F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A91F8E
GetDlgCtrlID.USER32(?), ref: 00A91F97
GetParent.USER32(?), ref: 00A91FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A91FAE

Strings

ListBox, xrefs: 00A91F21
ComboBox, xrefs: 00A91EEC

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 841a0e47f5704581dbd0088bfceaf1827ac425ca771e6081ea4489810e613fd0
Instruction ID: 8e87ba2ad7146b7410e6599c8dab3e283a2db6ccb37dfbd741ca46583e60bbbb
Opcode Fuzzy Hash: 841a0e47f5704581dbd0088bfceaf1827ac425ca771e6081ea4489810e613fd0
Instruction Fuzzy Hash: F321BE75A00218BBCF05EFA0CD85DFEBBB8EF05310F001516F965A72A1DB795909DB60

Function 00A91FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

Part of subcall function 00A93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A93CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00A92043
GetDlgCtrlID.USER32 ref: 00A9204E
GetParent.USER32 ref: 00A9206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A9206D
GetDlgCtrlID.USER32(?), ref: 00A92076
GetParent.USER32(?), ref: 00A9208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A9208D

Strings

ListBox, xrefs: 00A92002
ComboBox, xrefs: 00A91FCD

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 7edecb23c14deca777a3340131f9c21a47bcf79377b0fb8a89e6a4133a2989fb
Instruction ID: 2e07370325a448555a225f4af2a3a50cb04e9e3ff8445ab2ccce06dd0b123f34
Opcode Fuzzy Hash: 7edecb23c14deca777a3340131f9c21a47bcf79377b0fb8a89e6a4133a2989fb
Instruction Fuzzy Hash: 0121A175E40218BBCF10EFA0CD85EFEBBB8EF05350F005415F955A72A1DA794919DB60

Function 00AC3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00AC3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00AC3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00AC3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AC3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00AC3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00AC3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00AC3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00AC3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00AC3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00AC3C13

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 1c653302f69f1b3534668667f414bfff7adeee239dec7e4884febafed78213f1
Instruction ID: 52e63af85163942b8a0c207f1ea79d7a29df1da9fb5466381fbd27324aa7e414
Opcode Fuzzy Hash: 1c653302f69f1b3534668667f414bfff7adeee239dec7e4884febafed78213f1
Instruction Fuzzy Hash: 95616875A00208AFDB10DFA8CD81FEE77B8EB09710F114199FA15AB2A1D774AE46DB50

Function 00A9B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A9B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A9A1E1,?,00000001), ref: 00A9B165
GetWindowThreadProcessId.USER32(00000000), ref: 00A9B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A9A1E1,?,00000001), ref: 00A9B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A9B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00A9A1E1,?,00000001), ref: 00A9B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A9A1E1,?,00000001), ref: 00A9B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A9A1E1,?,00000001), ref: 00A9B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00A9A1E1,?,00000001), ref: 00A9B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00A9A1E1,?,00000001), ref: 00A9B21D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6ff4bd46d644ae353e5a5c0e5522bf4e39442de73b7e22574a6c976643151e95
Instruction ID: 3795afba72d5d0b3b6d20cefa223ec2cf253ec0b39eceaf92bc8bfbdc82bb881
Opcode Fuzzy Hash: 6ff4bd46d644ae353e5a5c0e5522bf4e39442de73b7e22574a6c976643151e95
Instruction Fuzzy Hash: E5317C75610204AFDF10DF64EE98FA97BEDEB61721F114105FA05D71A0EBB4AA428F70

Function 00A62C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A62C94

Part of subcall function 00A629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A6D7D1,00000000,00000000,00000000,00000000,?,00A6D7F8,00000000,00000007,00000000,?,00A6DBF5,00000000), ref: 00A629DE
Part of subcall function 00A629C8: GetLastError.KERNEL32(00000000,?,00A6D7D1,00000000,00000000,00000000,00000000,?,00A6D7F8,00000000,00000007,00000000,?,00A6DBF5,00000000,00000000), ref: 00A629F0

_free.LIBCMT ref: 00A62CA0
_free.LIBCMT ref: 00A62CAB
_free.LIBCMT ref: 00A62CB6
_free.LIBCMT ref: 00A62CC1
_free.LIBCMT ref: 00A62CCC
_free.LIBCMT ref: 00A62CD7
_free.LIBCMT ref: 00A62CE2
_free.LIBCMT ref: 00A62CED
_free.LIBCMT ref: 00A62CFB

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 41d9efa1fb17b2421c681dc2cedb7b1681f1d6de8f23539b18c3c6d09f840700
Instruction ID: 770998f282e1d5cd3e4e4c8591b9df1ecef0ee2777e791fbbbb2d1648568833c
Opcode Fuzzy Hash: 41d9efa1fb17b2421c681dc2cedb7b1681f1d6de8f23539b18c3c6d09f840700
Instruction Fuzzy Hash: 9111A476600508BFCB06EF54DA82EDD3BB5FF85390F4144A5FA489F222DA31EE509B90

Function 00AA7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AA7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00AA7FC1
GetFileAttributesW.KERNEL32(?), ref: 00AA7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00AA8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00AA8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00AA8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AA80B0

Strings

*.*, xrefs: 00AA8066

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 35b2e889d2144af33ba7dc803968fe9bceec567025b6fd13d4b8561ad204055c
Instruction ID: 581361e1921bcdcc613b64ce617d62497e7157a24ace2be0d2e008e4a37bb6ae
Opcode Fuzzy Hash: 35b2e889d2144af33ba7dc803968fe9bceec567025b6fd13d4b8561ad204055c
Instruction Fuzzy Hash: 83819D725083419BCB30EF14C9449AFB3E8BF8A310F544C6AF889D7291EB35DD498B92

Function 00A35BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A35C7A

Part of subcall function 00A35D0A: GetClientRect.USER32(?,?), ref: 00A35D30
Part of subcall function 00A35D0A: GetWindowRect.USER32(?,?), ref: 00A35D71
Part of subcall function 00A35D0A: ScreenToClient.USER32(?,?), ref: 00A35D99

GetDC.USER32 ref: 00A746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A74708
SelectObject.GDI32(00000000,00000000), ref: 00A74716
SelectObject.GDI32(00000000,00000000), ref: 00A7472B
ReleaseDC.USER32(?,00000000), ref: 00A74733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A747C4

Strings

U, xrefs: 00A74693

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 43999d9dabfedd73d1c6f194cff73eb8e9bfa169513ee1a123cd613355d3f2c7
Instruction ID: aa4bf37a79d9d7d34ade0ec6dc61e8b0fc1be3fec5b94ee97978370657d2b9c6
Opcode Fuzzy Hash: 43999d9dabfedd73d1c6f194cff73eb8e9bfa169513ee1a123cd613355d3f2c7
Instruction Fuzzy Hash: 0971DF30900205DFCF2ACF68CD85ABA7BB5FF4A364F18C269F9595A166C7319841DF50

Function 00AA359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00AA35E4

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

LoadStringW.USER32(00B02390,?,00000FFF,?), ref: 00AA360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00AA3724
"%s" (%d) : ==> %s:, xrefs: 00AA3742
Error: , xrefs: 00AA36EF
Line %d (File "%s"):, xrefs: 00AA366B
^ ERROR, xrefs: 00AA36C9

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 2fc6a8a90677a1b7d8b8618cb446906d53d01f0e675df99e50994774a03b789a
Instruction ID: ca243f3e0d14a52228dad5474dcf9d344683828c53eb779dda1a56f9b0c11129
Opcode Fuzzy Hash: 2fc6a8a90677a1b7d8b8618cb446906d53d01f0e675df99e50994774a03b789a
Instruction Fuzzy Hash: BD515972904209BBCF15EBE0CE42EEEBB78AF15300F144129F105771A1EB712A99DFA1

Function 00AAC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AAC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AAC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00AAC2CA
GetLastError.KERNEL32 ref: 00AAC322
SetEvent.KERNEL32(?), ref: 00AAC336
InternetCloseHandle.WININET(00000000), ref: 00AAC341

Strings

, xrefs: 00AAC2BB

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: f8e580db35d733131392856b9653f3ba371c383bbfb45f67c0a5f2124c3ed05b
Instruction ID: 8ba1c375dc5d5f0f2fb0dbcfa0d59dd6c1cfd6ba50b160c72d86a470ba979d85
Opcode Fuzzy Hash: f8e580db35d733131392856b9653f3ba371c383bbfb45f67c0a5f2124c3ed05b
Instruction Fuzzy Hash: D5316F71500304AFEB21DFA48988AABBAFCEB4A764F14851DF44A97280DB34DD059B70

Function 00A9989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A73AAF,?,?,Bad directive syntax error,00ACCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A998BC
LoadStringW.USER32(00000000,?,00A73AAF,?), ref: 00A998C3

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A99987

Strings

., xrefs: 00A9996D
%s (%d) : ==> %s.: %s %s, xrefs: 00A998F1
Error: , xrefs: 00A99955
Line %d (File "%s"):, xrefs: 00A9992D
Line %d:, xrefs: 00A99912

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 1c2cb64532e47521a84e7afb0ab747d1383e01ebebf7f1e5fed1739bb8fa55c0
Instruction ID: 18408a541649caf8cfd12e65fb30e5fd4dffd78b79e4f7c36615a753b385c1e7
Opcode Fuzzy Hash: 1c2cb64532e47521a84e7afb0ab747d1383e01ebebf7f1e5fed1739bb8fa55c0
Instruction Fuzzy Hash: 17215A3294421EBBCF15AFD0CD0AEEE7779FF18300F044869F619660A2EB719A18DB51

Function 00A9209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00A920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A9214D

Strings

largeicons, xrefs: 00A920E1
smallicons, xrefs: 00A92115
details, xrefs: 00A920FB
list, xrefs: 00A9212F
SHELLDLL_DefView, xrefs: 00A920CC

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: cab6bda6bfab5d67e1aa82b99f5755a8a1da75f4379ec917483b66679637c08f
Instruction ID: 7b333167e82645af323981c3d8774e75de045366a78563b0ad24b056232d8600
Opcode Fuzzy Hash: cab6bda6bfab5d67e1aa82b99f5755a8a1da75f4379ec917483b66679637c08f
Instruction Fuzzy Hash: 6311E37AB8870ABAFA016374EC0AEB637DCEB08369B300216FB04A50D1FA7168565714

Function 00A68D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df407c20e6cb4052a1751fc4673747c48205a0588d30b4405e90e72423fc97d
Instruction ID: c8ce876f4bdb2b7fd44285ad5c367dd924484f25978f8d63c93df05b417e4831
Opcode Fuzzy Hash: 1df407c20e6cb4052a1751fc4673747c48205a0588d30b4405e90e72423fc97d
Instruction Fuzzy Hash: F1C1F3B4E04249AFDF11DFA8D841BEEBBB8BF19310F054199E915A7392CB349941CB61

Function 00A6CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00A6CEB7
_free.LIBCMT ref: 00A6CF22
_free.LIBCMT ref: 00A6CF48
_free.LIBCMT ref: 00A6CF71
_free.LIBCMT ref: 00A6CFA9
_free.LIBCMT ref: 00A6CFDA
_free.LIBCMT ref: 00A6D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00A6D09C
_free.LIBCMT ref: 00A6D0B5

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: ca8e1c1ace3442985ca61906276f34d376d5f2c4c33141ddc998838d419c4166
Instruction ID: 65bf05cc64b66ba2180d436c1fb43f331a9d4da6789c7a0021dd27f832d06232
Opcode Fuzzy Hash: ca8e1c1ace3442985ca61906276f34d376d5f2c4c33141ddc998838d419c4166
Instruction Fuzzy Hash: 20614B71A04701AFDF25AFB89D81B7D7BB5EF05370F05426DF98597281DA329D0187A0

Function 00AC50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00AC5186
ShowWindow.USER32(?,00000000), ref: 00AC51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00AC51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00AC51D1

Part of subcall function 00AC6FBA: DeleteObject.GDI32(00000000), ref: 00AC6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00AC520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AC521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00AC524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00AC5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00AC5296

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 953aef6ea0393b35351792d9cc696cbe3af131ea41bfa9ca238a0a3080024878
Instruction ID: 9097f1501c915497630a53cdae91c5f968c356a80ac47961d1899b719a499408
Opcode Fuzzy Hash: 953aef6ea0393b35351792d9cc696cbe3af131ea41bfa9ca238a0a3080024878
Instruction Fuzzy Hash: 2851CE30E40A08BEEF20AF74CC4AFD97BA5EB04320F5A4209F619962E0C775B9D0DB40

Function 00A48B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00A86890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00A868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00A868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A48874,00000000,00000000,00000000,000000FF,00000000), ref: 00A86901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A8691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00A48874,00000000,00000000,00000000,000000FF,00000000), ref: 00A8692D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 9aeedb1398ee469332faa5ead575b16777fed540ec8b25b6b4c8ce50f83c5f8b
Instruction ID: 8008f707903a23b78cdf09553638678e316de300b0af05c89275d2bc0d0cbdae
Opcode Fuzzy Hash: 9aeedb1398ee469332faa5ead575b16777fed540ec8b25b6b4c8ce50f83c5f8b
Instruction Fuzzy Hash: 0A519A74A00209EFEB24DF28DC55FAE7BB5FB98760F104518F906972A0DB74E992DB40

Function 00AAC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AAC182
GetLastError.KERNEL32 ref: 00AAC195
SetEvent.KERNEL32(?), ref: 00AAC1A9

Part of subcall function 00AAC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AAC272
Part of subcall function 00AAC253: GetLastError.KERNEL32 ref: 00AAC322
Part of subcall function 00AAC253: SetEvent.KERNEL32(?), ref: 00AAC336
Part of subcall function 00AAC253: InternetCloseHandle.WININET(00000000), ref: 00AAC341

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 0126d408a38e9e06b71e65226a8bb2ac3ec7996073a1b37e60ab1528ffe1cf31
Instruction ID: 5afd35219ff8d07e9dbb772af140298f50169a04678bf9ab63ff9828aabd5507
Opcode Fuzzy Hash: 0126d408a38e9e06b71e65226a8bb2ac3ec7996073a1b37e60ab1528ffe1cf31
Instruction Fuzzy Hash: 1431BE71200705AFEB21AFE5DD04BA6BBF8FF1A320B04451EF95A87650D731E819DBA0

Function 00A925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A93A57
Part of subcall function 00A93A3D: GetCurrentThreadId.KERNEL32 ref: 00A93A5E
Part of subcall function 00A93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A925B3), ref: 00A93A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00A925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00A925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A92601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00A92605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A9260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A92623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00A92627

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: dae240550391b2f2d60423ed746ba665f756bbd1e3146f2cae4f071f1d076df5
Instruction ID: 38a6f740ae77b2b4510e28f12a0bd774d28dc7bc3232a15dc777876cf5d7eb55
Opcode Fuzzy Hash: dae240550391b2f2d60423ed746ba665f756bbd1e3146f2cae4f071f1d076df5
Instruction Fuzzy Hash: 8501D831790220BBFF10A7A99C8AF593FA9DB4EB61F120011F318AE1D1C9E214458A69

Function 00A91803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00A91449,?,?,00000000), ref: 00A9180C
HeapAlloc.KERNEL32(00000000,?,00A91449,?,?,00000000), ref: 00A91813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A91449,?,?,00000000), ref: 00A91828
GetCurrentProcess.KERNEL32(?,00000000,?,00A91449,?,?,00000000), ref: 00A91830
DuplicateHandle.KERNEL32(00000000,?,00A91449,?,?,00000000), ref: 00A91833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A91449,?,?,00000000), ref: 00A91843
GetCurrentProcess.KERNEL32(00A91449,00000000,?,00A91449,?,?,00000000), ref: 00A9184B
DuplicateHandle.KERNEL32(00000000,?,00A91449,?,?,00000000), ref: 00A9184E
CreateThread.KERNEL32(00000000,00000000,00A91874,00000000,00000000,00000000), ref: 00A91868

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e560842261ee7a2b5a657745e57a3cd3752773dd8bd07978fd0017c4f04230ac
Instruction ID: 4612fc91f959eca097b5445d2d3613385ec5e9d0d0625aeba16448002a19dc1c
Opcode Fuzzy Hash: e560842261ee7a2b5a657745e57a3cd3752773dd8bd07978fd0017c4f04230ac
Instruction Fuzzy Hash: 0501BFB5240344BFE710EBA6DC4DF5B7BACEB89B11F054511FA05DB191C6749801CB20

Function 00ABA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00A9D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00A9D501
Part of subcall function 00A9D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00A9D50F
Part of subcall function 00A9D4DC: CloseHandle.KERNELBASE(00000000), ref: 00A9D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ABA16D
GetLastError.KERNEL32 ref: 00ABA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ABA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00ABA268
GetLastError.KERNEL32(00000000), ref: 00ABA273
CloseHandle.KERNEL32(00000000), ref: 00ABA2C4

Strings

SeDebugPrivilege, xrefs: 00ABA18F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7291e1f271caa75d142ed223d95e16cc113692c709234f09b974d1c0a5d179c2
Instruction ID: 7b2e2868e0c3023c00fac6f9c0998e3dbe1fa529976ef66a567abca034175754
Opcode Fuzzy Hash: 7291e1f271caa75d142ed223d95e16cc113692c709234f09b974d1c0a5d179c2
Instruction Fuzzy Hash: 23619F30204242AFD710DF19C894F95BBE5AF54318F18849CE46A4F7A3C772EC45CB92

Function 00AC3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00AC3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00AC393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00AC3954
_wcslen.LIBCMT ref: 00AC3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00AC39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00AC39F4

Strings

SysListView32, xrefs: 00AC38F7

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 60a4a31e57c9b25d3e041f2b23a23cbd7a560a7e3cffc8ccb27e635b4755cfe5
Instruction ID: 6fbee302325ab696647a62ffb1284c265ca0599de919eb2bc635cae57dbeb2c8
Opcode Fuzzy Hash: 60a4a31e57c9b25d3e041f2b23a23cbd7a560a7e3cffc8ccb27e635b4755cfe5
Instruction Fuzzy Hash: C341A372A00219BBEF219F64CC45FEA7BA9FF08354F11452AF958E7281D7759A80CB90

Function 00A9BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A9BCFD
IsMenu.USER32(00000000), ref: 00A9BD1D
CreatePopupMenu.USER32 ref: 00A9BD53
GetMenuItemCount.USER32(00E65ED0), ref: 00A9BDA4
InsertMenuItemW.USER32(00E65ED0,?,00000001,00000030), ref: 00A9BDCC

Strings

0, xrefs: 00A9BCA8
2, xrefs: 00A9BD37

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 0344ba6d3c50ce47691801d82584d5e305e8e2000df491caf335f7400387dc44
Instruction ID: 016445a267bb9093e5cb1881453531c53fbf7c8c5307320294aa3fedb0fe14dd
Opcode Fuzzy Hash: 0344ba6d3c50ce47691801d82584d5e305e8e2000df491caf335f7400387dc44
Instruction Fuzzy Hash: 7D51BF70B10219DBDF10CFA8EA88BAEBBF4BF45324F144159E415EB291D7709941CB71

Function 00A9C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00A9C913

Strings

question, xrefs: 00A9C8CC
warning, xrefs: 00A9C8FC
info, xrefs: 00A9C8B4
stop, xrefs: 00A9C8E4
blank, xrefs: 00A9C895

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 6a409b701785dc6481fba490811b854ff1a1fb298bf457e6d78874fb9575aa85
Instruction ID: a5c89b4fde48d3e54aaf14bbeb12b188c1f883b991978867306e042cbaca2d92
Opcode Fuzzy Hash: 6a409b701785dc6481fba490811b854ff1a1fb298bf457e6d78874fb9575aa85
Instruction Fuzzy Hash: 92110D32789B0ABAEF05AB549C83CAA77ECEF15379B20442AFA04A6282D7705D405364

Function 00A9DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A9DE42
gethostname.WSOCK32(?,00000100), ref: 00A9DE5C
gethostbyname.WSOCK32(?), ref: 00A9DE69
inet_ntoa.WSOCK32(?), ref: 00A9DEAB
_strcat.LIBCMT ref: 00A9DEB9
WSACleanup.WSOCK32 ref: 00A9DEDE

Strings

0.0.0.0, xrefs: 00A9DE87

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 2a08032b55393c3b89080d222ba9256a4c204218838c4074cfb92947fe239e32
Instruction ID: 6d5ef695b15b4a7f6ef67582c9b3a006f0c7d18f36f7ccf37cc315a18279db20
Opcode Fuzzy Hash: 2a08032b55393c3b89080d222ba9256a4c204218838c4074cfb92947fe239e32
Instruction Fuzzy Hash: FD110671A04115BFCF20ABA09D4AEEF77FCEF14765F010169F509AA091EF708AC18A60

Function 00AC9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A49BB2

GetSystemMetrics.USER32(0000000F), ref: 00AC9FC7
GetSystemMetrics.USER32(0000000F), ref: 00AC9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00ACA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00ACA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00ACA263
ShowWindow.USER32(00000003,00000000), ref: 00ACA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00ACA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00ACA2CA

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: fe848b39ed9f2a08670866a45ee49f0d70aa25b429ad9cb6122cfcf7279f10fc
Instruction ID: ac1b5fb7870884cc017ed42a42de335cafd11a9313a849ea3fe568e806c91b39
Opcode Fuzzy Hash: fe848b39ed9f2a08670866a45ee49f0d70aa25b429ad9cb6122cfcf7279f10fc
Instruction Fuzzy Hash: CFB1AA31600229DBDF14CF68C985BFA7BF2FF64715F0A8069EC499B295DB31A940CB51

Function 00A9ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A9ED2A
_wcslen.LIBCMT ref: 00A9ED3B
_wcslen.LIBCMT ref: 00A9ED79
_wcslen.LIBCMT ref: 00A9EDAF
_wcslen.LIBCMT ref: 00A9EDDF
_wcslen.LIBCMT ref: 00A9EDEF
_wcslen.LIBCMT ref: 00A9EE2B
_wcslen.LIBCMT ref: 00A9EE5A

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: e8e4dbf57c6b5c7338cdaa6fc0b325f52c65ca8f29cbce6dca33196eaf9d7aab
Instruction ID: 0da912dcdf2b005646c85333f80eac980ac955b59e93de4f51775c5df11fd557
Opcode Fuzzy Hash: e8e4dbf57c6b5c7338cdaa6fc0b325f52c65ca8f29cbce6dca33196eaf9d7aab
Instruction Fuzzy Hash: F841B265D10218B5DB11EBF5888A9CFB7BCFF45311F508466E918E3122FB34E249C3A5

Function 00A4F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A8682C,00000004,00000000,00000000), ref: 00A4F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00A8682C,00000004,00000000,00000000), ref: 00A8F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A8682C,00000004,00000000,00000000), ref: 00A8F454

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c9c1a487df8848b05777d3f0a4293b7369358896a67287e328b62fd073909343
Instruction ID: c6ced7468b2614d9becb15c49fc3ccd29237a03daa815a24cff160639d81e172
Opcode Fuzzy Hash: c9c1a487df8848b05777d3f0a4293b7369358896a67287e328b62fd073909343
Instruction Fuzzy Hash: FD413A39208680BED7399F3CCD88B2A7BA1AFD6320F14643DE09B57562D731A881CB11

Function 00AC2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00AC2D1B
GetDC.USER32(00000000), ref: 00AC2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AC2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00AC2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00AC2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AC2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00AC5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00AC2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00AC2DE1

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 41b69b95a32c4a0cc5df480f71e450d43fe25452ce1a8c4cee6800ddce9ca99a
Instruction ID: bf90cf81034d4807f9535544cb3d8532fffc4317ebc091d390d6c37cef317ac6
Opcode Fuzzy Hash: 41b69b95a32c4a0cc5df480f71e450d43fe25452ce1a8c4cee6800ddce9ca99a
Instruction Fuzzy Hash: E231AE72201214BFEB118F54CC8AFEB3FADEF19721F094055FE099A291C6759C41CBA0

Function 00A95622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A95637
_memcmp.LIBVCRUNTIME ref: 00A95659
_memcmp.LIBVCRUNTIME ref: 00A95671
_memcmp.LIBVCRUNTIME ref: 00A95684
_memcmp.LIBVCRUNTIME ref: 00A9569E
_memcmp.LIBVCRUNTIME ref: 00A956B1
_memcmp.LIBVCRUNTIME ref: 00A956C9
_memcmp.LIBVCRUNTIME ref: 00A956E4

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 443e3be9bcc3f3c36dc90a41a3066eeae9926e2ef06b67046493914bdbb1c614
Instruction ID: e8a3c1f0c57d39f73528b783342952236c6dbb01d0318ec294c102895ccb9348
Opcode Fuzzy Hash: 443e3be9bcc3f3c36dc90a41a3066eeae9926e2ef06b67046493914bdbb1c614
Instruction Fuzzy Hash: D72195B1F45A097B9A165A319E93FBA33DDBF20395F480424FE049A581F730EE1483A5

Function 00AB4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00AB5007
NULL Pointer assignment, xrefs: 00AB502E, 00AB5383

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d69ab3493e8af0b652d39a9c50f7ddfc214515e7bb67f41b340869d5603e5c2d
Instruction ID: a173d9e3bdfa1308aa7272089c4b9d59a9dcefc9ec334142debeed58dbeeb3a1
Opcode Fuzzy Hash: d69ab3493e8af0b652d39a9c50f7ddfc214515e7bb67f41b340869d5603e5c2d
Instruction Fuzzy Hash: 50D1BE71E0060AAFDF14DFA8D880BEEB7B9BF48354F148169E915AB282D771DD41CB90

Function 00A71522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00A715CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00A71651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A716E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00A716FB

Part of subcall function 00A63820: RtlAllocateHeap.NTDLL(00000000,?,00B01444,?,00A4FDF5,?,?,00A3A976,00000010,00B01440,00A313FC,?,00A313C6,?,00A31129), ref: 00A63852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A71777
__freea.LIBCMT ref: 00A717A2
__freea.LIBCMT ref: 00A717AE

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: cf3fa6825a6f2a5e37d9caa3bc2cbfd724935f400fc38f8276600b3f5e7d5b7a
Instruction ID: 6c0613e018feeecf84fa39cdb71598febd2203c0818f6a4597410d4b86a06f23
Opcode Fuzzy Hash: cf3fa6825a6f2a5e37d9caa3bc2cbfd724935f400fc38f8276600b3f5e7d5b7a
Instruction Fuzzy Hash: D3919372E002169EDB288FA9CD81EEEBBF5AF45710F18C659E809E7141E735DD41CBA0

Function 00AB4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AB4648
VariantInit.OLEAUT32(?), ref: 00AB4749
VariantClear.OLEAUT32(?), ref: 00AB4753
VariantClear.OLEAUT32(?), ref: 00AB47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00AB45D8, 00AB4706, 00AB47BE
Incorrect Object type in FOR..IN loop, xrefs: 00AB472C

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 9870ebfbd17808ca0eda172f965d5c81ea866b91a3fbde168948c89fd4369681
Instruction ID: 1bbab3b69818fd54f7d5f65b7a07b71d8bc775017fc0ebe9c86153a0112020e8
Opcode Fuzzy Hash: 9870ebfbd17808ca0eda172f965d5c81ea866b91a3fbde168948c89fd4369681
Instruction Fuzzy Hash: 2A916F71A00219AFDF24CFA5C854FEEBBBCEF4A714F108559F505AB282DB709945CBA0

Function 00AA1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00AA125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00AA1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00AA12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AA12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AA135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AA13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00AA1430

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 25717c1082ed60706ab3807f520b4833799cead39e0e8b3c2fd6808da1e7bdbd
Instruction ID: 121778303c362103a1e5f61ba7c817d64e346c4a7fa94ba3f5c823d9a5d3cfe0
Opcode Fuzzy Hash: 25717c1082ed60706ab3807f520b4833799cead39e0e8b3c2fd6808da1e7bdbd
Instruction Fuzzy Hash: 2591C075A00209AFDB00DFA8C885BBEB7B5FF46325F118029E951EB2D1D774E946CB90

Function 00A4948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 093e41d4c88676a11f8bb195d4023c05cfe3873cdf19a0a0726a6e0fbc43f854
Instruction ID: 672ed0a978cc8b4636a80e0953a2419bbe3d272f8beeba0f46d87504d22d11ae
Opcode Fuzzy Hash: 093e41d4c88676a11f8bb195d4023c05cfe3873cdf19a0a0726a6e0fbc43f854
Instruction Fuzzy Hash: F0912475D40219EFCB10CFA9C984AEFBBB8FF89320F248159E515B7251D374AA52CB60

Function 00AB3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AB396B
CharUpperBuffW.USER32(?,?), ref: 00AB3A7A
_wcslen.LIBCMT ref: 00AB3A8A
VariantClear.OLEAUT32(?), ref: 00AB3C1F

Part of subcall function 00AA0CDF: VariantInit.OLEAUT32(00000000), ref: 00AA0D1F
Part of subcall function 00AA0CDF: VariantCopy.OLEAUT32(?,?), ref: 00AA0D28
Part of subcall function 00AA0CDF: VariantClear.OLEAUT32(?), ref: 00AA0D34

Strings

Incorrect Parameter format, xrefs: 00AB39A6, 00AB3BA1
AUTOIT.ERROR, xrefs: 00AB3A80, 00AB3A85

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: d0233cef04d9777eb4bed531375b2cbd23874b5ce2fe89c540d79757291a5b01
Instruction ID: 63696e8566ddd4afa0ac648712da2962143ec194800563739da508b442dcb177
Opcode Fuzzy Hash: d0233cef04d9777eb4bed531375b2cbd23874b5ce2fe89c540d79757291a5b01
Instruction Fuzzy Hash: AF918C756083059FCB04DF68C58096AB7E8FF89314F14892DF88A9B352DB31EE45CB92

Function 00AB4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00A9000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A8FF41,80070057,?,?,?,00A9035E), ref: 00A9002B
Part of subcall function 00A9000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A8FF41,80070057,?,?), ref: 00A90046
Part of subcall function 00A9000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A8FF41,80070057,?,?), ref: 00A90054
Part of subcall function 00A9000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A8FF41,80070057,?), ref: 00A90064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00AB4C51
_wcslen.LIBCMT ref: 00AB4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00AB4DCF
CoTaskMemFree.OLE32(?), ref: 00AB4DDA

Strings

NULL Pointer assignment, xrefs: 00AB4E23, 00AB4E52

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 0667d41f83f60b7a591ab037dd6eb51eb1590b7261dd1336fea7d4cfe7e687bf
Instruction ID: 85aae337827b3871f8a036e7faf267f5edf9f191361499f2024968844c29fac8
Opcode Fuzzy Hash: 0667d41f83f60b7a591ab037dd6eb51eb1590b7261dd1336fea7d4cfe7e687bf
Instruction Fuzzy Hash: 2D91F771D00219AFDF14DFA4C891EEEB7B9BF08310F108169F919A7252DB749A45CFA0

Function 00AB7B7E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00A50242: EnterCriticalSection.KERNEL32(00B0070C,00B01884,?,?,00A4198B,00B02518,?,?,?,00A312F9,00000000), ref: 00A5024D
Part of subcall function 00A50242: LeaveCriticalSection.KERNEL32(00B0070C,?,00A4198B,00B02518,?,?,?,00A312F9,00000000), ref: 00A5028A

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

Part of subcall function 00A500A3: __onexit.LIBCMT ref: 00A500A9

__Init_thread_footer.LIBCMT ref: 00AB7BFB

Part of subcall function 00A501F8: EnterCriticalSection.KERNEL32(00B0070C,?,?,00A48747,00B02514), ref: 00A50202
Part of subcall function 00A501F8: LeaveCriticalSection.KERNEL32(00B0070C,?,00A48747,00B02514), ref: 00A50235

Strings

5, xrefs: 00AB7C78
0}, xrefs: 00AB7D5C, 00AB7C50
Variable must be of type 'Object'., xrefs: 00AB7C3A
G0}, xrefs: 00AB7C96
G0}, xrefs: 00AB7CD4, 00AB7D73, 00AB7D05, 00AB7E05

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 0}$5$G0}$G0}$Variable must be of type 'Object'.
API String ID: 535116098-2126128693
Opcode ID: 3146a39bb9adbea02d22f0fe7a168c50ca5ae31af59a94752059d538dcb9956e
Instruction ID: be95785bd92a2605257c000d8a8dbd998175f3dc7eae08eee3afca31e6d0ef23
Opcode Fuzzy Hash: 3146a39bb9adbea02d22f0fe7a168c50ca5ae31af59a94752059d538dcb9956e
Instruction Fuzzy Hash: 4E918D74A04209AFCB14EF94D991DFDBBB9FF85340F108059F8069B292DBB1AE45CB51

Function 00AC20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00AC2183
GetMenuItemCount.USER32(00000000), ref: 00AC21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00AC21DD
_wcslen.LIBCMT ref: 00AC2213
GetMenuItemID.USER32(?,?), ref: 00AC224D
GetSubMenu.USER32(?,?), ref: 00AC225B

Part of subcall function 00A93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A93A57
Part of subcall function 00A93A3D: GetCurrentThreadId.KERNEL32 ref: 00A93A5E
Part of subcall function 00A93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A925B3), ref: 00A93A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00AC22E3

Part of subcall function 00A9E97B: Sleep.KERNEL32 ref: 00A9E9F3

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 698323fe5b75579938e16ecf9eee32c976476bca5b044bf45b5673be1f9e26c2
Instruction ID: d9a4176c6d2fb2bc3de62a868ac0b7104d6e452d91b57b51104de7b0731149ad
Opcode Fuzzy Hash: 698323fe5b75579938e16ecf9eee32c976476bca5b044bf45b5673be1f9e26c2
Instruction Fuzzy Hash: 18716D75A00205AFCB14EFA8C945FAEB7F5EF88320F168459E816EB351DB34ED418B90

Function 00AC7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00E65D18), ref: 00AC7F37
IsWindowEnabled.USER32(00E65D18), ref: 00AC7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00AC801E
SendMessageW.USER32(00E65D18,000000B0,?,?), ref: 00AC8051
IsDlgButtonChecked.USER32(?,?), ref: 00AC8089
GetWindowLongW.USER32(00E65D18,000000EC), ref: 00AC80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00AC80C3

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 828eb62077c596dc9e07a43662cf1d95f0a0a7ec516eda1659aae6de4961d949
Instruction ID: 803af6f568a3d509c382c952331996ef745e87a2afbf49e70c6db30637d2e34f
Opcode Fuzzy Hash: 828eb62077c596dc9e07a43662cf1d95f0a0a7ec516eda1659aae6de4961d949
Instruction Fuzzy Hash: 3571A634608204AFEB219F64C8D4FAEBBB9FF09340F16045DE995972A1CB31A845DFA0

Function 00A9AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A9AEF9
GetKeyboardState.USER32(?), ref: 00A9AF0E
SetKeyboardState.USER32(?), ref: 00A9AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00A9AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00A9AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00A9AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A9B020

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: eacdcc6213a17428095d195c65bc0259548d87ed14874b123e118aa8a323515f
Instruction ID: afba4d518b01876535e3efe34caa44291fe446b47986888ff66e1904c2d0c446
Opcode Fuzzy Hash: eacdcc6213a17428095d195c65bc0259548d87ed14874b123e118aa8a323515f
Instruction Fuzzy Hash: 2551C3A07147D53DFF3683348D49BBA7EE95B06304F08858AE1D9558C2C7D9ACC4D7A1

Function 00A9ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A9AD19
GetKeyboardState.USER32(?), ref: 00A9AD2E
SetKeyboardState.USER32(?), ref: 00A9AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A9ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A9ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A9AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A9AE38

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3ea0c7d0c1f468619292f212dd73067d74ce8272314853769c2326894da8a8f6
Instruction ID: 826ac0186019f45f5340a029e6421db83b43f31e8f6cea15b65bc58a4dd9c0b9
Opcode Fuzzy Hash: 3ea0c7d0c1f468619292f212dd73067d74ce8272314853769c2326894da8a8f6
Instruction Fuzzy Hash: 4351D7A1B047E53DFF3783348C55BBA7EE95B56300F08858AE1D9468C2D794EC88D7A2

Function 00A6542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00A73CD6,?,?,?,?,?,?,?,?,00A65BA3,?,?,00A73CD6,?,?), ref: 00A65470
__fassign.LIBCMT ref: 00A654EB
__fassign.LIBCMT ref: 00A65506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00A73CD6,00000005,00000000,00000000), ref: 00A6552C
WriteFile.KERNEL32(?,00A73CD6,00000000,00A65BA3,00000000,?,?,?,?,?,?,?,?,?,00A65BA3,?), ref: 00A6554B
WriteFile.KERNEL32(?,?,00000001,00A65BA3,00000000,?,?,?,?,?,?,?,?,?,00A65BA3,?), ref: 00A65584

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a55c992013f1052826b42419419d978e909969f9c565c8e4c88db2bf0358977c
Instruction ID: 42b12a9aa66b10e82b42d1185a1b316f4290cc73e2ae3b592becab9b56088cd7
Opcode Fuzzy Hash: a55c992013f1052826b42419419d978e909969f9c565c8e4c88db2bf0358977c
Instruction Fuzzy Hash: 135190B1E00649AFDB10CFA8D849AEEBBF9EF19310F14415AE956E7291D6309A41CB60

Function 00A62051 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A620C3
_free.LIBCMT ref: 00A620E3

Strings

0}, xrefs: 00A62076, 00A620B8, 00A620D8, 00A62158

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free
String ID: 0}
API String ID: 269201875-2321931521
Opcode ID: aa4243dd16d1a7820a4e23186d88f5c508591f43e03d4c49d445990b57e6f7c6
Instruction ID: 2504ceb1a4bd144f641a1be47e48e8b595fa8c76e9b836bf51954fe07e73d015
Opcode Fuzzy Hash: aa4243dd16d1a7820a4e23186d88f5c508591f43e03d4c49d445990b57e6f7c6
Instruction Fuzzy Hash: 2241E472A006049FCB24DFB8C981B6DB7F5EF89714F164569E915EB391DB31AD01CB80

Function 00A52D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A52D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00A52D53
_ValidateLocalCookies.LIBCMT ref: 00A52DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00A52E0C
_ValidateLocalCookies.LIBCMT ref: 00A52E61

Strings

csm, xrefs: 00A52DF6

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: d060bf97953cef3b262830fab9b80acc1949c058a69a67e5345944d12b324209
Instruction ID: 54f52a31fbe537f5b5883ba202e5b6df4a5f65a90794e15f28bc5d1ec4450394
Opcode Fuzzy Hash: d060bf97953cef3b262830fab9b80acc1949c058a69a67e5345944d12b324209
Instruction Fuzzy Hash: C241B435E00209EBCF14DF68C885B9EBBB5BF46366F148155EC15AB392D731AA09CBD0

Function 00AB10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00AB307A
Part of subcall function 00AB304E: _wcslen.LIBCMT ref: 00AB309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00AB1112
WSAGetLastError.WSOCK32 ref: 00AB1121
WSAGetLastError.WSOCK32 ref: 00AB11C9
closesocket.WSOCK32(00000000), ref: 00AB11F9

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 36b8f573bd1b432ca205701eb2ec0a37c438cd5ce8c8a729b109523d0e51b4d9
Instruction ID: 405d6e2a37828ec1a1e1a2d4cd52b568c71933872e5288afc2228c3eb0fe56a6
Opcode Fuzzy Hash: 36b8f573bd1b432ca205701eb2ec0a37c438cd5ce8c8a729b109523d0e51b4d9
Instruction Fuzzy Hash: D341F431600204AFDB10DF58D894BEABBEDEF45324F548159F9199B292D770AD42CBE0

Function 00A9CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A9CF22,?), ref: 00A9DDFD

Part of subcall function 00A9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A9CF22,?), ref: 00A9DE16

lstrcmpiW.KERNEL32(?,?), ref: 00A9CF45
MoveFileW.KERNEL32(?,?), ref: 00A9CF7F
_wcslen.LIBCMT ref: 00A9D005
_wcslen.LIBCMT ref: 00A9D01B
SHFileOperationW.SHELL32(?), ref: 00A9D061

Strings

\*.*, xrefs: 00A9CFF3

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 909d16e29261cc07293a8de179597684c7578389b213566026165d46d187ef0b
Instruction ID: 86ed0d40147a92cb7b091e435c3ac6d15e7d8aaee3e6685af57e745be8e85f82
Opcode Fuzzy Hash: 909d16e29261cc07293a8de179597684c7578389b213566026165d46d187ef0b
Instruction Fuzzy Hash: 65415C719452185FDF12EFA4DA81EDEB7F9AF08790F1000E6E505EB142EB34A789CB50

Function 00AC2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00AC2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00AC2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00AC2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00AC2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00AC2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00AC2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AC2F0B

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e41c2688fa42e882445831441c539c34bc227995a8cc76bfc2ec01c1d46fcc52
Instruction ID: 44bac8a3c5cba74d517cc20bfc8342831195534014b164e923a19abbb1b2a7a9
Opcode Fuzzy Hash: e41c2688fa42e882445831441c539c34bc227995a8cc76bfc2ec01c1d46fcc52
Instruction Fuzzy Hash: 62310134644254AFEB21DF5CDD84FA53BE1FB9A720F1601A8F904AF2B2CB71A841DB41

Function 00A97726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A97769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A9778F
SysAllocString.OLEAUT32(00000000), ref: 00A97792
SysAllocString.OLEAUT32(?), ref: 00A977B0
SysFreeString.OLEAUT32(?), ref: 00A977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00A977DE
SysAllocString.OLEAUT32(?), ref: 00A977EC

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 99937e3af0a4c8a7f7a7f595b6a9035bf90df938c276696d73854f119efd2d44
Instruction ID: 53610b5026779b9a0744b282acab6d9a608323354141985bc37ff82050701ac9
Opcode Fuzzy Hash: 99937e3af0a4c8a7f7a7f595b6a9035bf90df938c276696d73854f119efd2d44
Instruction Fuzzy Hash: D5216B7A614219AFDF10DFE9CD88CBF77ECAB09764B058025FA19DB260D6709C428770

Function 00A977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A97842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A97868
SysAllocString.OLEAUT32(00000000), ref: 00A9786B
SysAllocString.OLEAUT32 ref: 00A9788C
SysFreeString.OLEAUT32 ref: 00A97895
StringFromGUID2.OLE32(?,?,00000028), ref: 00A978AF
SysAllocString.OLEAUT32(?), ref: 00A978BD

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 432f93f642456ebde227a4fbeaa1d56f10f382c1f7d39ed172cc6569883898c8
Instruction ID: 2f15bf3a98a13d264f3ed6032704fdd7c0435716d6188006a0200251ad202894
Opcode Fuzzy Hash: 432f93f642456ebde227a4fbeaa1d56f10f382c1f7d39ed172cc6569883898c8
Instruction Fuzzy Hash: B5214C36618204AFDF109BA8DC8DDAA77E8EB09760715C125F915CB2A1DA64DC82CB74

Function 00AA04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00AA04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AA052E

Strings

nul, xrefs: 00AA0567

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c7ed00a9e6456418ec3c88eca407fb0272f449671561a4425b6a3e863e3f1fa5
Instruction ID: e00e7a96ad87d897f9676ca6451d55d4ef495d533138e1b0a6458d4cbc6f99ce
Opcode Fuzzy Hash: c7ed00a9e6456418ec3c88eca407fb0272f449671561a4425b6a3e863e3f1fa5
Instruction Fuzzy Hash: C021AB74900306AFCF209F69DC04E9A7BB4BF46760F208A18F8A1D72E0E7719940CF20

Function 00AA05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00AA05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AA0601

Strings

nul, xrefs: 00AA0639

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a2f0020f6bd7af8ea9ad282ab0028d68b0c10a3e0cc03eec940190792b4a85b9
Instruction ID: 56a2b994c1417572f70e6c5cc13941ea2cf2597138978f7c4518e4ccf88ad3eb
Opcode Fuzzy Hash: a2f0020f6bd7af8ea9ad282ab0028d68b0c10a3e0cc03eec940190792b4a85b9
Instruction Fuzzy Hash: 402151755003059BDB209F69DC04E9ABBF4BF96734F204A19F9A1E72E0E7B09961CB20

Function 00AC40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A3604C
Part of subcall function 00A3600E: GetStockObject.GDI32(00000011), ref: 00A36060
Part of subcall function 00A3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A3606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00AC4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00AC411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00AC412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00AC4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00AC4145

Strings

Msctls_Progress32, xrefs: 00AC40E3

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8d367919d8adc08686e03690949543dcec6b0450003064b5f88ef55559b51579
Instruction ID: 9ead98862af9fb388de814e43350642a506392ead501a49bd389b232f73b9917
Opcode Fuzzy Hash: 8d367919d8adc08686e03690949543dcec6b0450003064b5f88ef55559b51579
Instruction Fuzzy Hash: D01193B11402197EEF118F64CC85EE77F9DEF08798F018111FA18A2050C6769C219BA4

Function 00A6D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A6D7A3: _free.LIBCMT ref: 00A6D7CC

_free.LIBCMT ref: 00A6D82D

Part of subcall function 00A629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A6D7D1,00000000,00000000,00000000,00000000,?,00A6D7F8,00000000,00000007,00000000,?,00A6DBF5,00000000), ref: 00A629DE
Part of subcall function 00A629C8: GetLastError.KERNEL32(00000000,?,00A6D7D1,00000000,00000000,00000000,00000000,?,00A6D7F8,00000000,00000007,00000000,?,00A6DBF5,00000000,00000000), ref: 00A629F0

_free.LIBCMT ref: 00A6D838
_free.LIBCMT ref: 00A6D843
_free.LIBCMT ref: 00A6D897
_free.LIBCMT ref: 00A6D8A2
_free.LIBCMT ref: 00A6D8AD
_free.LIBCMT ref: 00A6D8B8

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 460f6728d6410ae031f8b45db90be890dbebb3b1cdcb29d6489c1345cac030d2
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 16113372B40B04BAD521BFF0CD47FCB7BFCAF84780F444825B299AA492DA75B5054751

Function 00A9DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A9DA74
LoadStringW.USER32(00000000), ref: 00A9DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A9DA91
LoadStringW.USER32(00000000), ref: 00A9DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A9DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A9DAB9

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 6264d93619cf6443ebd17b1ed7e092ab02e79e8580d5f5739abf8c675ea78345
Instruction ID: 3ebec059dfddba25a7689c5c46184a40c1513c1505e09d101c1b201912d1c4cd
Opcode Fuzzy Hash: 6264d93619cf6443ebd17b1ed7e092ab02e79e8580d5f5739abf8c675ea78345
Instruction Fuzzy Hash: 4B0162F25002087FEB10EBE49D89EE7326CE708311F400595F74AE2041EA749E854F74

Function 00AA096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00E5D9F0,00E5D9F0), ref: 00AA097B
EnterCriticalSection.KERNEL32(00E5D9D0,00000000), ref: 00AA098D
TerminateThread.KERNEL32(?,000001F6), ref: 00AA099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00AA09A9
CloseHandle.KERNEL32(?), ref: 00AA09B8
InterlockedExchange.KERNEL32(00E5D9F0,000001F6), ref: 00AA09C8
LeaveCriticalSection.KERNEL32(00E5D9D0), ref: 00AA09CF

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 81400910e67ee8ef73bb9478390c569e701c1563cf07a73c766da5af0ef31c3e
Instruction ID: aeb2eba6c7e7b7b0aa2595d2246d73d25ab0c5f2ae8c6760eb0aa59c0572a8e1
Opcode Fuzzy Hash: 81400910e67ee8ef73bb9478390c569e701c1563cf07a73c766da5af0ef31c3e
Instruction Fuzzy Hash: 94F01972442A12EBD741ABA4EE88ED6BB29FF01712F412026F206918A0C7749466CF90

Function 00A35D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00A35D30
GetWindowRect.USER32(?,?), ref: 00A35D71
ScreenToClient.USER32(?,?), ref: 00A35D99
GetClientRect.USER32(?,?), ref: 00A35ED7
GetWindowRect.USER32(?,?), ref: 00A35EF8

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 3c190329860aed62669ff47eff18042ef641d8b9de652d995792d92117748fa8
Instruction ID: 1fa3f9f259376b5e6f79baac902ed74b575e02c9a2bf5c9c09f7af2d550a169b
Opcode Fuzzy Hash: 3c190329860aed62669ff47eff18042ef641d8b9de652d995792d92117748fa8
Instruction Fuzzy Hash: EAB15735A00A4ADBDB14CFB9C8807EAB7F1FF58310F24D41AE8A9D7250DB34AA51DB54

Function 00A601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00A600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A600D6
__allrem.LIBCMT ref: 00A600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A6010B
__allrem.LIBCMT ref: 00A60122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A60140

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: b439b86183ab481539a938bc0c50e7f62f10495d472cecdca9125a329fedadcd
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: A281D472A00706AFE7249F68CD41F6B73F9EF41724F24463AF951DA681E770D9848B90

Function 00AB1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00AB101C,00000000,?,?,00000000), ref: 00AB3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00AB1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00AB1DE1
WSAGetLastError.WSOCK32 ref: 00AB1DF2
inet_ntoa.WSOCK32(?), ref: 00AB1E8C
htons.WSOCK32(?,?,?,?,?), ref: 00AB1EDB
_strlen.LIBCMT ref: 00AB1F35

Part of subcall function 00A939E8: _strlen.LIBCMT ref: 00A939F2

Part of subcall function 00A36D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00A4CF58,?,?,?), ref: 00A36DBA
Part of subcall function 00A36D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00A4CF58,?,?,?), ref: 00A36DED

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: a00e87f2cac13e94fae1ffe17172fa9beef4ad4d44ef2bdc2cbc64e3aeb52339
Instruction ID: 014f1c121a3c6248c6759746f77223bc817e476e6c99962d18293dc5c4b5725f
Opcode Fuzzy Hash: a00e87f2cac13e94fae1ffe17172fa9beef4ad4d44ef2bdc2cbc64e3aeb52339
Instruction Fuzzy Hash: 9FA1CF31604340AFC724DF24C8A5FAA7BE9AF84318F94894CF5565B2A3DB31ED46CB91

Function 00A661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A582D9,00A582D9,?,?,?,00A6644F,00000001,00000001,8BE85006), ref: 00A66258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A6644F,00000001,00000001,8BE85006,?,?,?), ref: 00A662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A663D8
__freea.LIBCMT ref: 00A663E5

Part of subcall function 00A63820: RtlAllocateHeap.NTDLL(00000000,?,00B01444,?,00A4FDF5,?,?,00A3A976,00000010,00B01440,00A313FC,?,00A313C6,?,00A31129), ref: 00A63852

__freea.LIBCMT ref: 00A663EE
__freea.LIBCMT ref: 00A66413

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: efddfc11d0eba9a2cd88325f5460bdcee2310521588b27eb421bcf20cd5d5e15
Instruction ID: ce513fb1db27f8769051a68146c7d6cf67003ab59c16200ff4f152e055f7d0fc
Opcode Fuzzy Hash: efddfc11d0eba9a2cd88325f5460bdcee2310521588b27eb421bcf20cd5d5e15
Instruction Fuzzy Hash: D051A072A00216ABEB258F64DD81EAF7BB9EF45750F154629FD05DB240EB34DC41C6A0

Function 00ABBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

Part of subcall function 00ABC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ABB6AE,?,?), ref: 00ABC9B5
Part of subcall function 00ABC998: _wcslen.LIBCMT ref: 00ABC9F1
Part of subcall function 00ABC998: _wcslen.LIBCMT ref: 00ABCA68
Part of subcall function 00ABC998: _wcslen.LIBCMT ref: 00ABCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ABBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00ABBD25
RegCloseKey.ADVAPI32(00000000), ref: 00ABBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00ABBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00ABBDF3
RegCloseKey.ADVAPI32(?), ref: 00ABBDFF

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 4d6926325c144f6517bb0bb963b0d744bf38bbdb34526ccce7bc0583602ac519
Instruction ID: c1488c330a5eef1ba3e720700a62ee3445ef59cc93fa191ce2ed0dce4d21fc92
Opcode Fuzzy Hash: 4d6926325c144f6517bb0bb963b0d744bf38bbdb34526ccce7bc0583602ac519
Instruction Fuzzy Hash: 8581A030218241EFD714DF24C991E6ABBE9FF84318F14895CF4994B2A2DB71ED45CBA2

Function 00A8F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00A8F7B9
SysAllocString.OLEAUT32(00000001), ref: 00A8F860
VariantCopy.OLEAUT32(00A8FA64,00000000), ref: 00A8F889
VariantClear.OLEAUT32(00A8FA64), ref: 00A8F8AD
VariantCopy.OLEAUT32(00A8FA64,00000000), ref: 00A8F8B1
VariantClear.OLEAUT32(?), ref: 00A8F8BB

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 25573c1c039b98baec5b918cfeeaff91670197390f143d319809d8842195b920
Instruction ID: 1aa0dba034282e2a274ef8802c0811e8f0a373297a378f0198809bdf7044cd9a
Opcode Fuzzy Hash: 25573c1c039b98baec5b918cfeeaff91670197390f143d319809d8842195b920
Instruction Fuzzy Hash: E451B335A00312BECF24BF65D995B29B3A9EF45310F249467F906DF292DB708C40CBA6

Function 00AA910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00A37620: _wcslen.LIBCMT ref: 00A37625

Part of subcall function 00A36B57: _wcslen.LIBCMT ref: 00A36B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00AA94E5
_wcslen.LIBCMT ref: 00AA9506
_wcslen.LIBCMT ref: 00AA952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00AA9585

Strings

X, xrefs: 00AA9412

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 7a93655015eddbaad6d9a505d2d2cfa68f0021c0075731a17f148abdca97ca30
Instruction ID: 39259b731e92a1fe73c1a974a71d75e6e43d4cb7fde5ac96a4757b0f254034a4
Opcode Fuzzy Hash: 7a93655015eddbaad6d9a505d2d2cfa68f0021c0075731a17f148abdca97ca30
Instruction Fuzzy Hash: DAE19F319083019FDB24DF24C981B6BB7E4BF85314F04896DF89A9B2A2DB31DD05CB92

Function 00A4920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A49BB2

BeginPaint.USER32(?,?,?), ref: 00A49241
GetWindowRect.USER32(?,?), ref: 00A492A5
ScreenToClient.USER32(?,?), ref: 00A492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A492D3
EndPaint.USER32(?,?,?,?,?), ref: 00A49321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00A871EA

Part of subcall function 00A49339: BeginPath.GDI32(00000000), ref: 00A49357

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 0e5263c22e970f3087d54832d5949a8f60815e220dcde07d2269b2228964be4c
Instruction ID: 16fc395deb905993844201f02e1a574b107c8622712cee21b2472815f6c63904
Opcode Fuzzy Hash: 0e5263c22e970f3087d54832d5949a8f60815e220dcde07d2269b2228964be4c
Instruction Fuzzy Hash: 23419D34104200AFD721DF68CC88FAB7BB8EB96720F140669F9948B2B1CB719856DB61

Function 00AA07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00AA080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00AA0847
EnterCriticalSection.KERNEL32(?), ref: 00AA0863
LeaveCriticalSection.KERNEL32(?), ref: 00AA08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00AA08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00AA0921

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: a66a8e3fe0dc6256b982de78508da61529f99a120db3cb3c404d88cfc0c324f8
Instruction ID: 0221a169724fd1c0a005dbbc6856bca0aed0f71c264bbcfe47b36a736edcaaee
Opcode Fuzzy Hash: a66a8e3fe0dc6256b982de78508da61529f99a120db3cb3c404d88cfc0c324f8
Instruction Fuzzy Hash: 6A419871900205EFDF04EF94DC85AAAB7B8FF44310F1440A9ED049B296DB34DE66CBA4

Function 00AC81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00A8F3AB,00000000,?,?,00000000,?,00A8682C,00000004,00000000,00000000), ref: 00AC824C
EnableWindow.USER32(?,00000000), ref: 00AC8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00AC82D1
ShowWindow.USER32(?,00000004), ref: 00AC82E5
EnableWindow.USER32(?,00000001), ref: 00AC830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00AC832F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 23451c88d9354cb19cfaf61cf0ae50862dac62463e8cfb806cd6c1040af7083a
Instruction ID: 89641f3896d4a260605bc57fcd64370c0f829785740e555ca01c4681eda0257a
Opcode Fuzzy Hash: 23451c88d9354cb19cfaf61cf0ae50862dac62463e8cfb806cd6c1040af7083a
Instruction Fuzzy Hash: D841B374601644EFDB25CF19C899FE47BE0FB4A714F1A52ADE5184F2B2CB35A842CB50

Function 00A94C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A94C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A94CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A94CEA
_wcslen.LIBCMT ref: 00A94D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A94D10
_wcsstr.LIBVCRUNTIME ref: 00A94D1A

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: e25c32f1813092588d4e7a029575e69eb8a1f91d2e3599c60392c2cbe074c231
Instruction ID: 895e5ca9a9bc49597561ad800024bcffcb62acc30334672ec4197efac0725df8
Opcode Fuzzy Hash: e25c32f1813092588d4e7a029575e69eb8a1f91d2e3599c60392c2cbe074c231
Instruction Fuzzy Hash: F221F676704200BFEF159B79AD4AE7B7BECDF49760F108029F809CA191EA65DC4297A0

Function 00AA581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A33A97,?,?,00A32E7F,?,?,?,00000000), ref: 00A33AC2

_wcslen.LIBCMT ref: 00AA587B
CoInitialize.OLE32(00000000), ref: 00AA5995
CoCreateInstance.OLE32(00ACFCF8,00000000,00000001,00ACFB68,?), ref: 00AA59AE
CoUninitialize.OLE32 ref: 00AA59CC

Strings

.lnk, xrefs: 00AA5876, 00AA58C1, 00AA5985

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: ee053985d91b4e092f832c78d0946a1e1de5f799632e6a57ff0079344f968f59
Instruction ID: 2970282a27cf82a8147139ce6d60695e86e01dcf30a4463d0b40fb847935f403
Opcode Fuzzy Hash: ee053985d91b4e092f832c78d0946a1e1de5f799632e6a57ff0079344f968f59
Instruction Fuzzy Hash: 3ED15475A087019FC714DF25C584A2ABBE1FF8A720F14885DF88A9B3A1D731EC45CB92

Function 00A9175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A90FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A90FCA
Part of subcall function 00A90FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A90FD6
Part of subcall function 00A90FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A90FE5
Part of subcall function 00A90FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A90FEC
Part of subcall function 00A90FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A91002

GetLengthSid.ADVAPI32(?,00000000,00A91335), ref: 00A917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A917BA
HeapAlloc.KERNEL32(00000000), ref: 00A917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00A917DA
GetProcessHeap.KERNEL32(00000000,00000000,00A91335), ref: 00A917EE
HeapFree.KERNEL32(00000000), ref: 00A917F5

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: cf15c5c50d9c6fe143e6f290b708ca8d8756e6f2ef75f8cdc66da6955c1f0961
Instruction ID: 718374c0641629893f9f36cecb9f18077d49898525ad59bb32b8fef0cbdc7051
Opcode Fuzzy Hash: cf15c5c50d9c6fe143e6f290b708ca8d8756e6f2ef75f8cdc66da6955c1f0961
Instruction Fuzzy Hash: 43115632A00606EFDF10DBE5CC49FAE7BE9EB45365F154118E486A7220D736A945CB60

Function 00A914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00A91506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A91515
CloseHandle.KERNEL32(00000004), ref: 00A91520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A9154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A91563

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 670677d5fa13959a8dac34758e32c97cac61fceca64f11c7045ba1f58a2ab154
Instruction ID: 23f099fa3305a0e4c96ab0d5b2172a797278da7a4a38692e5ebb840bdc3650b4
Opcode Fuzzy Hash: 670677d5fa13959a8dac34758e32c97cac61fceca64f11c7045ba1f58a2ab154
Instruction Fuzzy Hash: 801117B660024AABDF11CF98ED49FDA7BA9FB48754F064015FA09A2160C3758E619B60

Function 00A53382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A53379,00A52FE5), ref: 00A53390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A5339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A533B7
SetLastError.KERNEL32(00000000,?,00A53379,00A52FE5), ref: 00A53409

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2f4fbe5ee3d530e603e125ff0982f09ffab8abe0395ad9d72790389b153c53f2
Instruction ID: ccf13e8eb458c5bb90976c83f12ff1732835f9338f7a9427fadd97cc3f4b1474
Opcode Fuzzy Hash: 2f4fbe5ee3d530e603e125ff0982f09ffab8abe0395ad9d72790389b153c53f2
Instruction Fuzzy Hash: D4019233609715AAEE1567F57E859672A64FB853BB720022DFC10892F1EE314D0B9548

Function 00A62D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00A65686,00A73CD6,?,00000000,?,00A65B6A,?,?,?,?,?,00A5E6D1,?,00AF8A48), ref: 00A62D78
_free.LIBCMT ref: 00A62DAB
_free.LIBCMT ref: 00A62DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00A5E6D1,?,00AF8A48,00000010,00A34F4A,?,?,00000000,00A73CD6), ref: 00A62DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00A5E6D1,?,00AF8A48,00000010,00A34F4A,?,?,00000000,00A73CD6), ref: 00A62DEC
_abort.LIBCMT ref: 00A62DF2

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d9cabc7c4f12f59d3a794f04571078a0cf26614451cf4039e7d9ac068b818aa5
Instruction ID: 2c6d5732e069cb13990b4b8c296ce7a9b62be48a605eb77647d454efec07a3f1
Opcode Fuzzy Hash: d9cabc7c4f12f59d3a794f04571078a0cf26614451cf4039e7d9ac068b818aa5
Instruction Fuzzy Hash: 7DF0C832A44E01A7D61277B9BE16F6E2579AFC27B1F250518F828972D2EF2488034360

Function 00AC8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00A49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A49693
Part of subcall function 00A49639: SelectObject.GDI32(?,00000000), ref: 00A496A2
Part of subcall function 00A49639: BeginPath.GDI32(?), ref: 00A496B9
Part of subcall function 00A49639: SelectObject.GDI32(?,00000000), ref: 00A496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00AC8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00AC8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00AC8A70
LineTo.GDI32(?,00000000,00000003), ref: 00AC8A80
EndPath.GDI32(?), ref: 00AC8A90
StrokePath.GDI32(?), ref: 00AC8AA0

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 672a82e8e918d05a848d10bed10fa49db2e23e00b5c83df18e7d3d631c22d51f
Instruction ID: 779d593ec0395d0a31b192eec0048a6cbffa6fd1de9c5a844dfafe9cc374b508
Opcode Fuzzy Hash: 672a82e8e918d05a848d10bed10fa49db2e23e00b5c83df18e7d3d631c22d51f
Instruction Fuzzy Hash: 41110976400108FFDB129F94EC88EAA7F6CEB083A0F058016FA599A1A1C7719D56DFA0

Function 00A951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A95218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A95229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A95230
ReleaseDC.USER32(00000000,00000000), ref: 00A95238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A9524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00A95261

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 96acf4b8e59f6515a8a8d5156017c3fda1fa77618a3d4a129975c5ea5568e7c5
Instruction ID: c7c62a8eadd596e2ee1744dcd76dd895886d25f991e7e9c5a96189cee3166b16
Opcode Fuzzy Hash: 96acf4b8e59f6515a8a8d5156017c3fda1fa77618a3d4a129975c5ea5568e7c5
Instruction Fuzzy Hash: F2018475E01704BBEF109BF59D49E4EBFB8EF44361F044065FA08AB280D6709C01CB60

Function 00A31BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A31BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A31BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A31C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A31C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A31C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A31C22

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: eb122ef2283404c6360c62068cdd4ac4557995ea68408d55bda7fdd47d6f13dd
Instruction ID: 76be41e147b9fc295e59f1d0bfaf1d2f6da812e47fb623b72890bc4bcffafeba
Opcode Fuzzy Hash: eb122ef2283404c6360c62068cdd4ac4557995ea68408d55bda7fdd47d6f13dd
Instruction Fuzzy Hash: 980167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BE15C4BA42C7F5A864CBE5

Function 00A9EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A9EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A9EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00A9EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A9EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A9EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A9EB75

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 03acd30e6a149520be528514770a90e3e4b84e1e1a5e6d7e419c15833a886903
Instruction ID: 9a778d462f03ad28f4316ca3bed1fdf6857bcd83737fa1537361a4a6c2f1e820
Opcode Fuzzy Hash: 03acd30e6a149520be528514770a90e3e4b84e1e1a5e6d7e419c15833a886903
Instruction Fuzzy Hash: 62F0BE72600158BBE7209BA39C0EEEF3E7CEFCAB25F010158F605D1091D7A01A02C6B4

Function 00A87439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00A87452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00A87469
GetWindowDC.USER32(?), ref: 00A87475
GetPixel.GDI32(00000000,?,?), ref: 00A87484
ReleaseDC.USER32(?,00000000), ref: 00A87496
GetSysColor.USER32(00000005), ref: 00A874B0

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: fb5ebd68847a7f1539f0b4c4667050977e3b9db46480c356e7cd46402b22b55b
Instruction ID: efe6c27528009b23af6a6228e7b0f980c4a3be7db6c4b3ab26559f1f3cac3efa
Opcode Fuzzy Hash: fb5ebd68847a7f1539f0b4c4667050977e3b9db46480c356e7cd46402b22b55b
Instruction Fuzzy Hash: FD014B31400215EFDB51AFA4DD08FAE7BB5FB04321F660164F91AA21A1CF311E52AB50

Function 00A91874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A9187F
UnloadUserProfile.USERENV(?,?), ref: 00A9188B
CloseHandle.KERNEL32(?), ref: 00A91894
CloseHandle.KERNEL32(?), ref: 00A9189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00A918A5
HeapFree.KERNEL32(00000000), ref: 00A918AC

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: bded03fc369bedd28d50395dae2fbab03fae0a9fa8370db3981ea95589f21e2f
Instruction ID: 61b90f4b0f955f73267e7ed48a522904e58a18b0b13ef6f34d9f69dea9a898ba
Opcode Fuzzy Hash: bded03fc369bedd28d50395dae2fbab03fae0a9fa8370db3981ea95589f21e2f
Instruction Fuzzy Hash: 1BE0C23A404501BBDB019BE2ED0CD0ABB29FB49B32B128220F22985570CB329422DB50

Function 00A9C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A37620: _wcslen.LIBCMT ref: 00A37625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A9C6EE
_wcslen.LIBCMT ref: 00A9C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A9C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A9C7CA

Strings

0, xrefs: 00A9C6AF

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 948e6c9e251f53f5d09404d4fe84828a2cc26cee42a5a9f99630138085d1cbf6
Instruction ID: f8f82f5a05246df5f5bf7b9d41ff9bada574ad6a34205203839040a6b57e0c92
Opcode Fuzzy Hash: 948e6c9e251f53f5d09404d4fe84828a2cc26cee42a5a9f99630138085d1cbf6
Instruction Fuzzy Hash: 7151CB717047409BDB14DFA8C985B6BBBE8AF89324F041A2DF995E71E0DB70D904CB92

Function 00ABAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00ABAEA3

Part of subcall function 00A37620: _wcslen.LIBCMT ref: 00A37625

GetProcessId.KERNEL32(00000000), ref: 00ABAF38
CloseHandle.KERNEL32(00000000), ref: 00ABAF67

Strings

@, xrefs: 00ABAE72
<, xrefs: 00ABAE6B

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 1d69b11c9832d6a8880839d40d18ead49ab06ad456bd7393192ca0c5685a27a2
Instruction ID: 66546a692a6f4eb5fa4035040e796b70ddc9c1996b52700252e9b3d2fc30121d
Opcode Fuzzy Hash: 1d69b11c9832d6a8880839d40d18ead49ab06ad456bd7393192ca0c5685a27a2
Instruction Fuzzy Hash: EC717675A00618DFCB14DFA4C584A9EBBF4FF08310F048499E85AAB3A2CB74ED41CB91

Function 00A9719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A97206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A9723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A9724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A972CF

Strings

DllGetClassObject, xrefs: 00A97242

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 785f42a1c37eb56071b57aa3a99d6825b111d08007c82469b1599dde631b85df
Instruction ID: 87f882b685e4685f23bc243f0c40a7861b2dedee4db60d174ddd586476f21a0e
Opcode Fuzzy Hash: 785f42a1c37eb56071b57aa3a99d6825b111d08007c82469b1599dde631b85df
Instruction Fuzzy Hash: D3413B71A24204AFDF15CF94C884A9E7BE9EF84710F2580A9BD099F20AD7B1D945CBB0

Function 00AC3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AC3E35
IsMenu.USER32(?), ref: 00AC3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00AC3E92
DrawMenuBar.USER32 ref: 00AC3EA5

Strings

0, xrefs: 00AC3D89

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 1c6c3591bad08d0d006b16be741284f4b61405a65fac929d99b9d07442da5b28
Instruction ID: 92afb2be67fffdb39bfcecaf8c900f336a7bed4910b5fe5d3c5d589440ea55ba
Opcode Fuzzy Hash: 1c6c3591bad08d0d006b16be741284f4b61405a65fac929d99b9d07442da5b28
Instruction Fuzzy Hash: 6F411876A01209AFDF10DF94D884EAABBF5FF49364F05812DE905A7250D730AE45CB60

Function 00A91DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

Part of subcall function 00A93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A93CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A91E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A91E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A91EA9

Part of subcall function 00A36B57: _wcslen.LIBCMT ref: 00A36B6A

Strings

ListBox, xrefs: 00A91E25
ComboBox, xrefs: 00A91DF0

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 64747a65d13eeb5cbca6ee85491f9f2ffb9cf9b6b379d05d998ea8e9a84221da
Instruction ID: abe5ea43a4499476dd5000154992286556485d07fce75689e2341702ea477059
Opcode Fuzzy Hash: 64747a65d13eeb5cbca6ee85491f9f2ffb9cf9b6b379d05d998ea8e9a84221da
Instruction Fuzzy Hash: 6A21F175A00108BFDF14ABA4DE4ACFFB7F8EF45360F104519F925A71E1DB78490A8A20

Function 00ABC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00ABC9F1
_wcslen.LIBCMT ref: 00ABCA68
_wcslen.LIBCMT ref: 00ABCA9E
_wcslen.LIBCMT ref: 00ABCAF9
_wcslen.LIBCMT ref: 00ABCB2F
_wcslen.LIBCMT ref: 00ABCB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00ABCA62, 00ABCA67
HKLM, xrefs: 00ABCA98, 00ABCA9D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: f1f02da4b4584ad5611a83b80ec5cfb8190c18d9fad1e03711163e27eae71be6
Instruction ID: b3e2151fcd81d9dfb242eb5133c58b38f3669c01d0bfa100173d473f778874e1
Opcode Fuzzy Hash: f1f02da4b4584ad5611a83b80ec5cfb8190c18d9fad1e03711163e27eae71be6
Instruction Fuzzy Hash: 0B31A77360016A8ACB20DF6C99419FF379B5BA17E4F15401DFC55AB246EA71CD8493A0

Function 00AC2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00AC2F8D
LoadLibraryW.KERNEL32(?), ref: 00AC2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00AC2FA9
DestroyWindow.USER32(?), ref: 00AC2FB1

Strings

SysAnimate32, xrefs: 00AC2F68

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 912722e4a86a6dd2b34872293819eb7964cf48700e3849cd91b1d851094b2276
Instruction ID: 0dba8262b8ad499f1cff7c8afcd19067e74bb1a162cdf7581be8db340e00790e
Opcode Fuzzy Hash: 912722e4a86a6dd2b34872293819eb7964cf48700e3849cd91b1d851094b2276
Instruction Fuzzy Hash: AE21CD71200209ABEF218FA4DC80FBB77BDEB59364F12561CFA50D6190DB71DC6197A0

Function 00A54D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A54D1E,00A628E9,?,00A54CBE,00A628E9,00AF88B8,0000000C,00A54E15,00A628E9,00000002), ref: 00A54D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A54DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00A54D1E,00A628E9,?,00A54CBE,00A628E9,00AF88B8,0000000C,00A54E15,00A628E9,00000002,00000000), ref: 00A54DC3

Strings

mscoree.dll, xrefs: 00A54D86
CorExitProcess, xrefs: 00A54D98

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1c722b1989755280ab58dc7e23c8cdc183a64b213db36a318e164d09c8d0bf1
Instruction ID: 4ce248ada902170b640ec7ae2c5ed18066875d71617de39cb5040105c99500bf
Opcode Fuzzy Hash: f1c722b1989755280ab58dc7e23c8cdc183a64b213db36a318e164d09c8d0bf1
Instruction Fuzzy Hash: 59F04F35A40208BBEB119FD1DC49FAEBFB5FF48766F0501A5FD0AA6260CB345985CB90

Function 00A34E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A34EDD,?,(o,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A34E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A34EAE
FreeLibrary.KERNEL32(00000000,?,?,00A34EDD,?,(o,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A34EC0

Strings

kernel32.dll, xrefs: 00A34E94
Wow64DisableWow64FsRedirection, xrefs: 00A34EA8

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: d736b95037030f4c3d8c075876fcc6f180a9ba5c4a2101eef75662fa6d804c8c
Instruction ID: 4cab6196224e02b86b9e1467d58962e8709fa975e5ffb557116916a36fb0e6aa
Opcode Fuzzy Hash: d736b95037030f4c3d8c075876fcc6f180a9ba5c4a2101eef75662fa6d804c8c
Instruction Fuzzy Hash: 8EE0CD36E055226FD33157666C18FAF6554BFC5F72F1A0215FD08E2110DB64DD0340A0

Function 00A34E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A73CDE,?,(o,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A34E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A34E74
FreeLibrary.KERNEL32(00000000,?,?,00A73CDE,?,(o,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00A34E87

Strings

kernel32.dll, xrefs: 00A34E5B
Wow64RevertWow64FsRedirection, xrefs: 00A34E6E

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: e103a71ec66532c85dd7aa6746c61d31c555a18a8f4413c38b0f45ce729f9ce9
Instruction ID: 99f64784b8abf688b9e2da61fcad41a4dac437ee3b3948bf220876930cbb3b38
Opcode Fuzzy Hash: e103a71ec66532c85dd7aa6746c61d31c555a18a8f4413c38b0f45ce729f9ce9
Instruction Fuzzy Hash: 21D012369026216BDA225BA6AC18EDB6A18BF89F7171A0615F909A2114CF64DD0385D0

Function 00AA2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AA2C05
DeleteFileW.KERNEL32(?), ref: 00AA2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AA2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AA2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AA2CC0

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 754dec4928dcbb8cef409360812283b1ef639a2526abf93634c86f0611232b83
Instruction ID: 1d9629f00c70b1540246c52d38dea04893e35b13651a731c8975f753496ad196
Opcode Fuzzy Hash: 754dec4928dcbb8cef409360812283b1ef639a2526abf93634c86f0611232b83
Instruction Fuzzy Hash: D5B16D71D00119ABDF25EFA8CD85EDEB7BDEF49350F1040A6FA09E7181EB319A548B60

Function 00ABA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00ABA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00ABA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00ABA468
CloseHandle.KERNEL32(?), ref: 00ABA63D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 96870803bcbf6ef2de6142a0f2e8e1a36a3365dbbbcf6336fdf31f251460d7bb
Instruction ID: 72a981571ff6ed04351bd06f39ed8c47971aeed39f0a9e270f5d114321bc4213
Opcode Fuzzy Hash: 96870803bcbf6ef2de6142a0f2e8e1a36a3365dbbbcf6336fdf31f251460d7bb
Instruction Fuzzy Hash: 75A1A175604300AFD720DF24C986F2AB7E5AF94714F14881DF69A9B392DB70EC41CB92

Function 00A9E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A9CF22,?), ref: 00A9DDFD

Part of subcall function 00A9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A9CF22,?), ref: 00A9DE16

Part of subcall function 00A9E199: GetFileAttributesW.KERNEL32(?,00A9CF95), ref: 00A9E19A

lstrcmpiW.KERNEL32(?,?), ref: 00A9E473
MoveFileW.KERNEL32(?,?), ref: 00A9E4AC
_wcslen.LIBCMT ref: 00A9E5EB
_wcslen.LIBCMT ref: 00A9E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00A9E650

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 22e2e386e2aa28e8aaa93b7429454246be75c87bcf554532eb2f6b5029c96eaa
Instruction ID: b1bddb0f08931cd946bd1ffca22bf36811239fb0badc2bc2f04500e6429b61f0
Opcode Fuzzy Hash: 22e2e386e2aa28e8aaa93b7429454246be75c87bcf554532eb2f6b5029c96eaa
Instruction Fuzzy Hash: 3F5163B25083459BCB24EB90DD819DFB3ECAF84350F00491EF689D3192EF75A688C766

Function 00ABB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

Part of subcall function 00ABC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00ABB6AE,?,?), ref: 00ABC9B5
Part of subcall function 00ABC998: _wcslen.LIBCMT ref: 00ABC9F1
Part of subcall function 00ABC998: _wcslen.LIBCMT ref: 00ABCA68
Part of subcall function 00ABC998: _wcslen.LIBCMT ref: 00ABCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00ABBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00ABBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00ABBB63
RegCloseKey.ADVAPI32(?,?), ref: 00ABBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00ABBBB3

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 87f376e64fc093ad885fe8ed2f768affcecddf9bca85b89cd0d4cb8c23b0e9c2
Instruction ID: ab5920ae00381872ec5ff120df2baee62d16abc218fa278888bb136a898c20c8
Opcode Fuzzy Hash: 87f376e64fc093ad885fe8ed2f768affcecddf9bca85b89cd0d4cb8c23b0e9c2
Instruction Fuzzy Hash: 6461A031218241EFD714DF14C890E6ABBE9FF84358F14895CF4998B2A2DB71ED45CBA2

Function 00A98BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A98BCD
VariantClear.OLEAUT32 ref: 00A98C3E
VariantClear.OLEAUT32 ref: 00A98C9D
VariantClear.OLEAUT32(?), ref: 00A98D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A98D3B

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4af9ba1c117ae016301a119ec7dfddeaae8b36409bca2daba70c4d023b346c42
Instruction ID: 08e6a251d9d13f97c0ef5c817b4e775d448cf4dfdacea55c0611bd0e32ad57fb
Opcode Fuzzy Hash: 4af9ba1c117ae016301a119ec7dfddeaae8b36409bca2daba70c4d023b346c42
Instruction Fuzzy Hash: 7F5156B5A00219EFCB14CF68C894EAAB7F8FF89310B158559E909DB350E734E912CB90

Function 00AA8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AA8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00AA8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AA8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AA8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AA8C5F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: c8dd5cbe5589daf8d1520f0bfc998aeef8530e15a38caeda6a33c4a2c031eebd
Instruction ID: 50ffe6ef30beaa1539ee11e0b56f9da549ffbd01584e8a2884ac7dc8e11193b1
Opcode Fuzzy Hash: c8dd5cbe5589daf8d1520f0bfc998aeef8530e15a38caeda6a33c4a2c031eebd
Instruction Fuzzy Hash: 36513A75A002189FCB14DF65C981A6DBBF5FF49314F088458E84AAB3A2CB35ED51CF90

Function 00AB8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00AB8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00AB8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00AB8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00AB9032
FreeLibrary.KERNEL32(00000000), ref: 00AB9052

Part of subcall function 00A4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00AA1043,?,753CE610), ref: 00A4F6E6
Part of subcall function 00A4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00A8FA64,00000000,00000000,?,?,00AA1043,?,753CE610,?,00A8FA64), ref: 00A4F70D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 7a7452aa316e15b8c5887fcbb943ac88c95b783d08aad2731bcfb914c4cead7d
Instruction ID: 4f62ed1c7eea04880da692cb31d8e548993797d7ee546383e01fad80e64844b7
Opcode Fuzzy Hash: 7a7452aa316e15b8c5887fcbb943ac88c95b783d08aad2731bcfb914c4cead7d
Instruction Fuzzy Hash: 35514C35604205DFCB10EF68C4848ADBBB5FF49324F098098E90A9B362DB31ED86CB91

Function 00AC6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00AC6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00AC6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00AC6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00AAAB79,00000000,00000000), ref: 00AC6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00AC6CC7

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 20e982a4c3e09169a9076d78eded46a7ac7903c8fb0bd7ad109a874122fe39dd
Instruction ID: fa1883f47e9b25a92311de3326360299c3fddc105a9099b49a4494d73e4bcf34
Opcode Fuzzy Hash: 20e982a4c3e09169a9076d78eded46a7ac7903c8fb0bd7ad109a874122fe39dd
Instruction Fuzzy Hash: B741C435A08104AFDB24CF68CD58FA97BB5EB09360F16026CF999E72E1C771ED41DA90

Function 00A4912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A49141
ScreenToClient.USER32(00000000,?), ref: 00A4915E
GetAsyncKeyState.USER32(00000001), ref: 00A49183
GetAsyncKeyState.USER32(00000002), ref: 00A4919D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: b0c48250561b000f1429cff1aa18a21ec365fdc645680bedaeadfb2c9531eb7f
Instruction ID: 6c90c2c33c8ae93ff73ad09b376f4e6ac914c3d0fb07d47f5bb8a093d5fabdec
Opcode Fuzzy Hash: b0c48250561b000f1429cff1aa18a21ec365fdc645680bedaeadfb2c9531eb7f
Instruction Fuzzy Hash: 9941403590851AFBDF15EF68C848BEEB774FB45320F204319E429A72E0C730A950CB51

Function 00AA3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00AA38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00AA3922
TranslateMessage.USER32(?), ref: 00AA394B
DispatchMessageW.USER32(?), ref: 00AA3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AA3966

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 8893c57e600eac55c478eeb6974a4b86e4533cc950401479d3e28bf20a3178ef
Instruction ID: 79749f0170cf4e76f664c0e960872b051bab1c8fece4f8baa8310dfa2d924f35
Opcode Fuzzy Hash: 8893c57e600eac55c478eeb6974a4b86e4533cc950401479d3e28bf20a3178ef
Instruction Fuzzy Hash: 19318472904345AFEF29CB749868BB737E8EB17304F04496DF466831E0E7B49A85CB11

Function 00AACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00AAC21E,00000000), ref: 00AACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00AACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00AAC21E,00000000), ref: 00AACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00AAC21E,00000000), ref: 00AACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00AAC21E,00000000), ref: 00AACFF2

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: cbf0ccd78197035dd3b46d62b9435a63e8b39ea55040875c04a84a8da95ff268
Instruction ID: 87be0c86c514e0f23059e6a86411784a0f8f3051f37b6d89c94cffa2679a1018
Opcode Fuzzy Hash: cbf0ccd78197035dd3b46d62b9435a63e8b39ea55040875c04a84a8da95ff268
Instruction Fuzzy Hash: A8314B71904305EFEB20DFA5C984AAEBBF9EB15365B10442EF51AD7181DB30AE41DB60

Function 00A91901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A91915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00A919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00A919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00A919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00A919E2

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a4eeceb508c78dc645560cc7ad5a34bda42b7e8633cdb38be6a77fa293afc625
Instruction ID: f4f7b07740925f239eecf88554c3403357c156980b537ba5850d4b04d5d42739
Opcode Fuzzy Hash: a4eeceb508c78dc645560cc7ad5a34bda42b7e8633cdb38be6a77fa293afc625
Instruction Fuzzy Hash: D431C071A0021AEFDF00CFA8CD99ADE3BB5EB04325F104229F925AB2D1C7709D45CB90

Function 00AC5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00AC5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00AC579D
_wcslen.LIBCMT ref: 00AC57AF
_wcslen.LIBCMT ref: 00AC57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AC5816

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 18c24ad6ecca93a6bc60a70181b06529d1fde5ca8206959115101006f7a3373d
Instruction ID: 354c120857d3f2a003d802d5e451cb946ae5bc17c551c7f76ebd437751dff53b
Opcode Fuzzy Hash: 18c24ad6ecca93a6bc60a70181b06529d1fde5ca8206959115101006f7a3373d
Instruction Fuzzy Hash: 3D218D31D046189ADB208FB4CD85FEE7BB8FF04324F11865AF929AA180D774AAC5CF50

Function 00AB0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00AB0951
GetForegroundWindow.USER32 ref: 00AB0968
GetDC.USER32(00000000), ref: 00AB09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00AB09B0
ReleaseDC.USER32(00000000,00000003), ref: 00AB09E8

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 6ff5744200746dc17f3c20c0254ea44276b2344acacccb421da8398c03e217ca
Instruction ID: 0d13cea10d7d829ed54bb71a28c532a34f9284289fefeb9e9efc5800274afe92
Opcode Fuzzy Hash: 6ff5744200746dc17f3c20c0254ea44276b2344acacccb421da8398c03e217ca
Instruction Fuzzy Hash: A5219335600204AFD714EFA9C984EAEBBF9EF49750F058068F85AD7752CB30AC05CB50

Function 00A6CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00A6CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A6CDE9

Part of subcall function 00A63820: RtlAllocateHeap.NTDLL(00000000,?,00B01444,?,00A4FDF5,?,?,00A3A976,00000010,00B01440,00A313FC,?,00A313C6,?,00A31129), ref: 00A63852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A6CE0F
_free.LIBCMT ref: 00A6CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A6CE31

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 22fc4b0ee4cbacc9ad60e63a19bd7a56f8827da127df625858122e1543865436
Instruction ID: 93e9f47f67a0b464a24db314b6ffcb66637dbc0540c1a7b72ce3bb1c7d33b8af
Opcode Fuzzy Hash: 22fc4b0ee4cbacc9ad60e63a19bd7a56f8827da127df625858122e1543865436
Instruction Fuzzy Hash: 2101F772A026157FA32157B66C8CD7F797DDEC6FB13150129FD09D7200EA6A8D0281F0

Function 00A49639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A49693
SelectObject.GDI32(?,00000000), ref: 00A496A2
BeginPath.GDI32(?), ref: 00A496B9
SelectObject.GDI32(?,00000000), ref: 00A496E2

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 0025b138c3118aba75a8578ad02ae48cfb8a5ba5f1687488cc0aa4a8d86e417a
Instruction ID: bf4ad930928c04c1d75f30f52aff019842eab5d704580113ed7731a6307a5c66
Opcode Fuzzy Hash: 0025b138c3118aba75a8578ad02ae48cfb8a5ba5f1687488cc0aa4a8d86e417a
Instruction Fuzzy Hash: 05218034802305EFDB15DF69EC08BAB7BB8BBA0325F114616F414A71B0D77098A3CBA0

Function 00A95711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00A95726
_memcmp.LIBVCRUNTIME ref: 00A95744
_memcmp.LIBVCRUNTIME ref: 00A95757
_memcmp.LIBVCRUNTIME ref: 00A9576F
_memcmp.LIBVCRUNTIME ref: 00A95787

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 141041a7ca9aa1801ed2dafb89b68ba925bb6624c714d07bebf8e142a3bd995d
Instruction ID: 565e70d874c41d3e83829a34513c995427b21f907437c030b935853600d9ebed
Opcode Fuzzy Hash: 141041a7ca9aa1801ed2dafb89b68ba925bb6624c714d07bebf8e142a3bd995d
Instruction Fuzzy Hash: 010196B1B45605BE9A0956609E93FBA639DAB213A5B004825FD04AE241FB70EE1483A1

Function 00A4990E Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A498CC
SetTextColor.GDI32(?,?), ref: 00A498D6
SetBkMode.GDI32(?,00000001), ref: 00A498E9
GetStockObject.GDI32(00000005), ref: 00A498F1
GetWindowLongW.USER32(?,000000EB), ref: 00A49952

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 18ef36530a386955c1f91366c5c78f1ceecf97fb1fd972935b6b05ddbfe57f27
Instruction ID: ab2e71cb32f0820e8c5d48c305822b78d1f70440a03157e1890a8728b78f238f
Opcode Fuzzy Hash: 18ef36530a386955c1f91366c5c78f1ceecf97fb1fd972935b6b05ddbfe57f27
Instruction Fuzzy Hash: 611132361462409FDB128F65EC55EEB3B20AF92325B190159F9829B1B3CB324913CB50

Function 00A62DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00A5F2DE,00A63863,00B01444,?,00A4FDF5,?,?,00A3A976,00000010,00B01440,00A313FC,?,00A313C6), ref: 00A62DFD
_free.LIBCMT ref: 00A62E32
_free.LIBCMT ref: 00A62E59
SetLastError.KERNEL32(00000000,00A31129), ref: 00A62E66
SetLastError.KERNEL32(00000000,00A31129), ref: 00A62E6F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c0439f11d78f30399e3d7292c5e8cb8e22e9a54bd016eb4d3aaa8a1d1ae4a05d
Instruction ID: ff5f0efadc145767f9c2272ea531b3867e0084caa7be4cc594aad47f032974f8
Opcode Fuzzy Hash: c0439f11d78f30399e3d7292c5e8cb8e22e9a54bd016eb4d3aaa8a1d1ae4a05d
Instruction Fuzzy Hash: 5101F936645E0067C71267B56E45F2B1D7DABD13B1B250134F425922D2EB258C024320

Function 00A9000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A8FF41,80070057,?,?,?,00A9035E), ref: 00A9002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A8FF41,80070057,?,?), ref: 00A90046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A8FF41,80070057,?,?), ref: 00A90054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A8FF41,80070057,?), ref: 00A90064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A8FF41,80070057,?,?), ref: 00A90070

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 310b92ca0d0c19a49323ea5e3430ae78aea0e50ac8ba42c3ed42a6b129270cb5
Instruction ID: fe934fe27d5d036e9d02b79932ef340c823bcd43968f1eed9a45b37a5bde9199
Opcode Fuzzy Hash: 310b92ca0d0c19a49323ea5e3430ae78aea0e50ac8ba42c3ed42a6b129270cb5
Instruction Fuzzy Hash: 3C018B72700204BFDF108FA8DC04FAA7AEDEB447A2F154124F909D6210EB71DD418BA0

Function 00A9E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00A9E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00A9E9A5
Sleep.KERNEL32(00000000), ref: 00A9E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00A9E9B7
Sleep.KERNEL32 ref: 00A9E9F3

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 325dd7292320362c224757b0be58dbfc18ec41062eb9b1eb78290d33f9b9fd1c
Instruction ID: bf5d89c6f69b1b9c2eeb4145712041032bcf955a7f2468c996d98eccc5f489c8
Opcode Fuzzy Hash: 325dd7292320362c224757b0be58dbfc18ec41062eb9b1eb78290d33f9b9fd1c
Instruction Fuzzy Hash: 34015B31D01539DBCF00EBE5DC59ADDFBB8FB08310F050646E506B2142CB30995287A1

Function 00A910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A91114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00A90B9B,?,?,?), ref: 00A91120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A90B9B,?,?,?), ref: 00A9112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A90B9B,?,?,?), ref: 00A91136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A9114D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cefdb16f3f6a2bccfdeb0176752f5348dceca84d51b437407cb1b4f667bfcc80
Instruction ID: a64f8703cc3ce30d1f9b76fafafa7e5d8f63f457f75bb0aa5756deecde08d159
Opcode Fuzzy Hash: cefdb16f3f6a2bccfdeb0176752f5348dceca84d51b437407cb1b4f667bfcc80
Instruction Fuzzy Hash: 0B016979200205BFDB118FA5DC4DE6A3BAEEF893A4B250418FA49C7360DB31DC028A60

Function 00A90FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A90FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A90FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A90FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A90FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A91002

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 768aa6648e7d33c113dd02b325685f504bc506b66b8a2ab578ff824d31e57fcc
Instruction ID: af7bb7f20eccb6eb8e5b82488723234150d2b2913c2befa77186bffdd019fb25
Opcode Fuzzy Hash: 768aa6648e7d33c113dd02b325685f504bc506b66b8a2ab578ff824d31e57fcc
Instruction Fuzzy Hash: 19F04939200312EBDB218FA5AC49F563BADFF89762F164424FA4AC6251CA71DC42CA60

Function 00A91014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A9102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A91036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A91045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A9104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A91062

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ca5d6f9cafd8a8d0c2bb6879cd06825a2447a3ea3573da0f9eb1f40c27228950
Instruction ID: f32b4977c406294599ba761bc0cab0c7cedc02074c33f1cafd26b05c79ee009d
Opcode Fuzzy Hash: ca5d6f9cafd8a8d0c2bb6879cd06825a2447a3ea3573da0f9eb1f40c27228950
Instruction Fuzzy Hash: E6F06D39200312EBDB219FE5EC49F563BADFF897A1F560524FA49C7250CA71D8428A60

Function 00AA030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00AA017D,?,00AA32FC,?,00000001,00A72592,?), ref: 00AA0324
CloseHandle.KERNEL32(?,?,?,?,00AA017D,?,00AA32FC,?,00000001,00A72592,?), ref: 00AA0331
CloseHandle.KERNEL32(?,?,?,?,00AA017D,?,00AA32FC,?,00000001,00A72592,?), ref: 00AA033E
CloseHandle.KERNEL32(?,?,?,?,00AA017D,?,00AA32FC,?,00000001,00A72592,?), ref: 00AA034B
CloseHandle.KERNEL32(?,?,?,?,00AA017D,?,00AA32FC,?,00000001,00A72592,?), ref: 00AA0358
CloseHandle.KERNEL32(?,?,?,?,00AA017D,?,00AA32FC,?,00000001,00A72592,?), ref: 00AA0365

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e3690ca0d45d85407201e3293982bd0dbbe3748c24af3ff901eb676f9bbcc16f
Instruction ID: c68edd5d55d93f812530a38568b3147a5ee84d1df7617d4f4b005a027cd119a0
Opcode Fuzzy Hash: e3690ca0d45d85407201e3293982bd0dbbe3748c24af3ff901eb676f9bbcc16f
Instruction Fuzzy Hash: C601AE72800B159FCB30AF66D880812FBF9BF613153158A3FD19696971C3B1A959DF90

Function 00A6D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A6D752

Part of subcall function 00A629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A6D7D1,00000000,00000000,00000000,00000000,?,00A6D7F8,00000000,00000007,00000000,?,00A6DBF5,00000000), ref: 00A629DE
Part of subcall function 00A629C8: GetLastError.KERNEL32(00000000,?,00A6D7D1,00000000,00000000,00000000,00000000,?,00A6D7F8,00000000,00000007,00000000,?,00A6DBF5,00000000,00000000), ref: 00A629F0

_free.LIBCMT ref: 00A6D764
_free.LIBCMT ref: 00A6D776
_free.LIBCMT ref: 00A6D788
_free.LIBCMT ref: 00A6D79A

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e8d01e9e3cd69c95c03f1afb9e7042f56df0c4d5d3df6605257b467526f7c55d
Instruction ID: 0114805af4f7e24697d82ed5b1b4b7972734b9656296d3b816f44d5af42df5d9
Opcode Fuzzy Hash: e8d01e9e3cd69c95c03f1afb9e7042f56df0c4d5d3df6605257b467526f7c55d
Instruction Fuzzy Hash: 3DF0FF33B44608ABC625EBA5FAC5D2677FDBB847A0B940805F048E7501CB20FC80C7A5

Function 00A95C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00A95C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00A95C6F
MessageBeep.USER32(00000000), ref: 00A95C87
KillTimer.USER32(?,0000040A), ref: 00A95CA3
EndDialog.USER32(?,00000001), ref: 00A95CBD

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7f033f7c9a421b0608ae689e4e506c29980b1c17aff4b62f393c8a57f1dee3c2
Instruction ID: 60402186f0e1a89d06cb02a727c8a27d41d1c180adcb98fd65db87bf4412b34d
Opcode Fuzzy Hash: 7f033f7c9a421b0608ae689e4e506c29980b1c17aff4b62f393c8a57f1dee3c2
Instruction Fuzzy Hash: 33018130A00B04ABEF259B60DE4FFA677F8BB00B05F011559F687A15E1DBF0A9858B90

Function 00A622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A622BE

Part of subcall function 00A629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00A6D7D1,00000000,00000000,00000000,00000000,?,00A6D7F8,00000000,00000007,00000000,?,00A6DBF5,00000000), ref: 00A629DE
Part of subcall function 00A629C8: GetLastError.KERNEL32(00000000,?,00A6D7D1,00000000,00000000,00000000,00000000,?,00A6D7F8,00000000,00000007,00000000,?,00A6DBF5,00000000,00000000), ref: 00A629F0

_free.LIBCMT ref: 00A622D0
_free.LIBCMT ref: 00A622E3
_free.LIBCMT ref: 00A622F4
_free.LIBCMT ref: 00A62305

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3ecff1d922aeb6c944bf011c69979867aa863c5b67e8845a9eb1ff4fc3accf4b
Instruction ID: 79db7531eaee045423f59212411228bd7eb269cd2c2b2ae0a47d9394c1db1188
Opcode Fuzzy Hash: 3ecff1d922aeb6c944bf011c69979867aa863c5b67e8845a9eb1ff4fc3accf4b
Instruction Fuzzy Hash: F1F030715109158BC71AFFE8BD01A583BB4B7B87A1B00054AF411D3271CF300411ABE5

Function 00A495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A495D4
StrokeAndFillPath.GDI32(?,?,00A871F7,00000000,?,?,?), ref: 00A495F0
SelectObject.GDI32(?,00000000), ref: 00A49603
DeleteObject.GDI32 ref: 00A49616
StrokePath.GDI32(?), ref: 00A49631

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: b7a38b8f1b9e1a8e1ad385cc63d929f78c693744b92b1c99375ef9444cf31d6c
Instruction ID: 78bb2e179d0ab216447d58a7c37f6a3d9dd1f28cf3ba63e442975a815a7ecfff
Opcode Fuzzy Hash: b7a38b8f1b9e1a8e1ad385cc63d929f78c693744b92b1c99375ef9444cf31d6c
Instruction Fuzzy Hash: DFF04935006208EFDB2A9FA9ED1CB667F61BB60332F158214F469560F0CB3089A7DF21

Function 00A60F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00A610F9
__freea.LIBCMT ref: 00A61117

Part of subcall function 00A61537: _free.LIBCMT ref: 00A6154F

Strings

am/pm, xrefs: 00A6117A
a/p, xrefs: 00A611DE

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a4ca9279f6ef78131a3609e83410e3e7433fde5603f8b6b7465e3d7b5f381716
Instruction ID: bfa78b959b1421f537d0bec803e2f5ee32e7148acb80cad4600835a62b97b2de
Opcode Fuzzy Hash: a4ca9279f6ef78131a3609e83410e3e7433fde5603f8b6b7465e3d7b5f381716
Instruction Fuzzy Hash: 07D1F171900206DADB659F68C895BFABFB1FF06700F2C4269EA069F750E3359D81CB91

Function 00A3BBE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00A3BEB3

Strings

($, xrefs: 00A3BC28, 00A3BC2F, 00A3BE9A
0}, xrefs: 00A3BC10
(o, xrefs: 00A3BBE6

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: ($$(o$0}
API String ID: 1385522511-2020106885
Opcode ID: 8ad6aea5d2861d4525c6eef60f47c447dc1a7abf610a4b356b6288ae424d3dd5
Instruction ID: c1cd9a48923a461c482db6487bf089f1bcc701362f2629fd0404c624f6b23ff6
Opcode Fuzzy Hash: 8ad6aea5d2861d4525c6eef60f47c447dc1a7abf610a4b356b6288ae424d3dd5
Instruction Fuzzy Hash: 22913D75A10206DFCB68CF59C4916A9BBF2FF68314F24416EEA45AB350D731ED81CBA0

Function 00A92716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A9B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A921D0,?,?,00000034,00000800,?,00000034), ref: 00A9B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A92760

Part of subcall function 00A9B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00A9B3F8

Part of subcall function 00A9B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00A9B355
Part of subcall function 00A9B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A92194,00000034,?,?,00001004,00000000,00000000), ref: 00A9B365
Part of subcall function 00A9B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A92194,00000034,?,?,00001004,00000000,00000000), ref: 00A9B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A9281A

Strings

@, xrefs: 00A92832

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9ccef6f10ed5a7675ff84e0d6fa8cb11a24e7fd10427770afd33fbd246c95d00
Instruction ID: b072a8e31f8319917145c89368e3befe4f3d69abd8845d3728cfdc8fd9f087aa
Opcode Fuzzy Hash: 9ccef6f10ed5a7675ff84e0d6fa8cb11a24e7fd10427770afd33fbd246c95d00
Instruction Fuzzy Hash: FA410976A00218BEDF10DFA4DA45FEEBBB8AF09700F108095FA55B7181DA706E45DBA1

Function 00A6172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00A61769
_free.LIBCMT ref: 00A61834
_free.LIBCMT ref: 00A6183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00A61760, 00A61767, 00A61796, 00A617CE

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 8b51b4ccc08235651e7fa54a5db9b99984582b80ec427dfea2b3e5fe031b66fd
Instruction ID: 4f0537adf5dee5299fdf6b962def88970dbcf10ab8b0d48cb08345fd8315e264
Opcode Fuzzy Hash: 8b51b4ccc08235651e7fa54a5db9b99984582b80ec427dfea2b3e5fe031b66fd
Instruction Fuzzy Hash: 65317CB1A00218AFDB25DF99DD85D9EBFFCEB95310F1841AAF805D7211DA708E40CBA0

Function 00A9C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A9C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00A9C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B01990,00E65ED0), ref: 00A9C395

Strings

0, xrefs: 00A9C2DF

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 13d247ca316afba7f8ff2ff579a5640e97efebfeec7b4439cc68cb5b49e59ea9
Instruction ID: 923dba3aeaf8f47d9080e84273c144777c0c9e0626d0da48d50dc5150070af17
Opcode Fuzzy Hash: 13d247ca316afba7f8ff2ff579a5640e97efebfeec7b4439cc68cb5b49e59ea9
Instruction Fuzzy Hash: FC41BE712447019FDB20DF28D884B5BBBE8AF89320F108A1DF8A59B2D1D770E904CB62

Function 00AC4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00ACCC08,00000000,?,?,?,?), ref: 00AC44AA
GetWindowLongW.USER32 ref: 00AC44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AC44D7

Strings

SysTreeView32, xrefs: 00AC447C

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e1818ae691cbb0cd14a79067965b5c87d2bcb35f170e7fed9a3d746856508f18
Instruction ID: f718c50cf4f72da90dd1db89bc21a1858a632434bf5cc1fef7d945c58af94051
Opcode Fuzzy Hash: e1818ae691cbb0cd14a79067965b5c87d2bcb35f170e7fed9a3d746856508f18
Instruction Fuzzy Hash: 5E31AB31210609AFDB248F78DD45FEA7BA9EB48334F228719F979921E0DB70EC519B50

Function 00AB304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00AB3077,?,?), ref: 00AB3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00AB307A
_wcslen.LIBCMT ref: 00AB309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00AB3106

Strings

255.255.255.255, xrefs: 00AB3095, 00AB309A

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 2974e1c53af392b93547a7fd5271dbbdb65390cd944814b9e8d21e70b62db7b9
Instruction ID: ce245f57f195c7899247e0ca3b8805b7701853ab8d3d053b918349e131918e82
Opcode Fuzzy Hash: 2974e1c53af392b93547a7fd5271dbbdb65390cd944814b9e8d21e70b62db7b9
Instruction Fuzzy Hash: D131E13A6002019FCF10DF68D985EAA77F8EF14318F248159E9158B393DB72EE45CB60

Function 00AC3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00AC3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00AC3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AC3F78

Strings

SysMonthCal32, xrefs: 00AC3F0B

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 0c2570df6e227a4428db97fe1a1d17e7d1a71f05152e4ed5d4af1c1802b677ff
Instruction ID: 52676cc5453a3ce88900b4bc84193d13a5268fc5d9653a886db41526fa3f163c
Opcode Fuzzy Hash: 0c2570df6e227a4428db97fe1a1d17e7d1a71f05152e4ed5d4af1c1802b677ff
Instruction Fuzzy Hash: 5F21BF33600219BFDF15CF94CC46FEA3BB9EF48724F124218FA156B1D0D6B5A9508B90

Function 00AC4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00AC4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00AC4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00AC471A

Strings

msctls_updown32, xrefs: 00AC4684

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 8c5a52b22112f4a2e37097f63b5c0106dbb793f132205bc1b29e6fc8790ca535
Instruction ID: d0eaab7669f790e1451602cd05e00677797458badf507447c9419f602906ccc8
Opcode Fuzzy Hash: 8c5a52b22112f4a2e37097f63b5c0106dbb793f132205bc1b29e6fc8790ca535
Instruction Fuzzy Hash: 092160B5600208AFEB10DF68DCD1EB737ADEB5A3A4B050459FA049B351DB30EC52CB60

Function 00A995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A9961D

Strings

#OnAutoItStartRegister, xrefs: 00A995F3
#requireadmin, xrefs: 00A995D9
#notrayicon, xrefs: 00A995B7

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 912c418e2eb4d16e80645d939fb0cfec8d3d30ca7f1ba9d4e785aa4383468a4f
Instruction ID: 0e82d3b1573a277e4e2c3ae50035ee09d6ee8bc25fe2f168880c55b6a529a475
Opcode Fuzzy Hash: 912c418e2eb4d16e80645d939fb0cfec8d3d30ca7f1ba9d4e785aa4383468a4f
Instruction Fuzzy Hash: CF213872304510BAEB31AB2C9D03FBBB3E8AF91310F11442EFE49A7041EB65AD49C2D5

Function 00AC37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00AC3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00AC3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00AC3876

Strings

Listbox, xrefs: 00AC380F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 2327177bd5c86118211f2e1d6d53fbfd2c4971b050bc6c0ab591a5dee8776df9
Instruction ID: e5440b9a44a295ef6e1db89696c81e753429c45bf0b33762e1acd1cd95cffa8d
Opcode Fuzzy Hash: 2327177bd5c86118211f2e1d6d53fbfd2c4971b050bc6c0ab591a5dee8776df9
Instruction Fuzzy Hash: 80217F72610218BBEF11DF94DC85FBB376AEF89760F12C118F9159B190CA759C5287A0

Function 00AA49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AA4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00AA4A5C
SetErrorMode.KERNEL32(00000000,?,?,00ACCC08), ref: 00AA4AD0

Strings

%lu, xrefs: 00AA4A6F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 69b797c2a69085ba6676d0903867384e07a00119b852c66c1a481620a8ade9fd
Instruction ID: 83087ae0321a17be64c4b6dbe49eb92a7defc6ccf1de3a4260cbe15e759aa33a
Opcode Fuzzy Hash: 69b797c2a69085ba6676d0903867384e07a00119b852c66c1a481620a8ade9fd
Instruction Fuzzy Hash: 5C317175A00108AFDB10DF94C985EAA7BF8EF49318F1480A9F909DB252D771ED46CB61

Function 00AC41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00AC424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00AC4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00AC4271

Strings

msctls_trackbar32, xrefs: 00AC4226

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 824890d112250e49ff4b254daf7d206bf0a9917b56b261a8345642957186718f
Instruction ID: c7eb44d4e6b5bf1bf9f377387eda2b89c81b72b66754c12a05b98ebbd971091c
Opcode Fuzzy Hash: 824890d112250e49ff4b254daf7d206bf0a9917b56b261a8345642957186718f
Instruction Fuzzy Hash: 82110631240208BEEF205F68CC06FEB3BACEF99B64F024518FA55E2090D671DC519B14

Function 00A92F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A36B57: _wcslen.LIBCMT ref: 00A36B6A

Part of subcall function 00A92DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A92DC5
Part of subcall function 00A92DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A92DD6
Part of subcall function 00A92DA7: GetCurrentThreadId.KERNEL32 ref: 00A92DDD
Part of subcall function 00A92DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A92DE4

GetFocus.USER32 ref: 00A92F78

Part of subcall function 00A92DEE: GetParent.USER32(00000000), ref: 00A92DF9

GetClassNameW.USER32(?,?,00000100), ref: 00A92FC3
EnumChildWindows.USER32(?,00A9303B), ref: 00A92FEB

Strings

%s%d, xrefs: 00A92FFF

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 249769d1ebd2c0ee0528e66c0a8bc7eadadfe4923eb658830027b5bf117ad4e5
Instruction ID: 859c17253886d5f8ece41d46be08d638b2049bf843fe05815af56d3e3020cc69
Opcode Fuzzy Hash: 249769d1ebd2c0ee0528e66c0a8bc7eadadfe4923eb658830027b5bf117ad4e5
Instruction Fuzzy Hash: 3E11B4717002057BCF14BFB08D89FED77AAAF84314F048075FA099B252DE309A468B60

Function 00AC5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00AC58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00AC58EE
DrawMenuBar.USER32(?), ref: 00AC58FD

Strings

0, xrefs: 00AC588F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: bfaee91b44e6ac1972d92b71bfd31ba9659ca1b67bf8021194064772e0186160
Instruction ID: 11a71a4f60bda5f5487884890232617ff401a49736cbeb14a17f28eafe4e87e4
Opcode Fuzzy Hash: bfaee91b44e6ac1972d92b71bfd31ba9659ca1b67bf8021194064772e0186160
Instruction Fuzzy Hash: 63018B31900218EEDB209F61DC45FAEBBB8FB85361F008099F848D6151DB309A81DF20

Function 00A8D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00A8D3BF
FreeLibrary.KERNEL32 ref: 00A8D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00A8D3B9
X64, xrefs: 00A8D2A8

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 3028696f9b4bace98d81978fd99d42d1060ec853207447401ddb716d90097047
Instruction ID: 506280d00c9c25be97e728fd58c0cda6f04656c102d8e37b4b542de66f8ab1f1
Opcode Fuzzy Hash: 3028696f9b4bace98d81978fd99d42d1060ec853207447401ddb716d90097047
Instruction Fuzzy Hash: 3DF05536801621BBC33273104C14EA9B334EF00B01B5A8658F806EA1C4EB20CD418382

Function 00A9007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda342615173d2454b0161ca2151f578a6206e61966c8a27a961a4690513daa2
Instruction ID: 0aa773fdaaa8c1919182a968691fdd2e3f9aaab567556bdaad5ef5ee86eaf4b1
Opcode Fuzzy Hash: cda342615173d2454b0161ca2151f578a6206e61966c8a27a961a4690513daa2
Instruction Fuzzy Hash: 68C14875A0021AAFCB14CFA8C898EAEB7F5FF48744F218598E905EB251D731ED41DB90

Function 00A63E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00A63F0B
__alldvrm.LIBCMT ref: 00A6410C
__alldvrm.LIBCMT ref: 00A6412E

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: bfac8d70ae33fa63f554a16c7b0741bfb54e7b415460bf49d02ae9e845587811
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: C6A17E72E003569FEB25CF18C8917AEBFF4EF6A350F15426DE5559B282C2388D82C750

Function 00AB342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00AB3459
CoUninitialize.OLE32 ref: 00AB3463
VariantInit.OLEAUT32(?), ref: 00AB346E
VariantClear.OLEAUT32(?), ref: 00AB371B

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: d0be83d13c4c490d67e97b12c2680c2f0a9d74c2ebea2da57afbe6dc6c7b10e1
Instruction ID: dc7eb835262ca73a64482a85fbdce09a4da6d6afb6ac7be709c5c950c6d9d707
Opcode Fuzzy Hash: d0be83d13c4c490d67e97b12c2680c2f0a9d74c2ebea2da57afbe6dc6c7b10e1
Instruction Fuzzy Hash: 36A16D766043009FCB14DF29C595A6EB7E9FF88714F048959F98A9B362DB30EE01CB91

Function 00A90436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00ACFC08,?), ref: 00A905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00ACFC08,?), ref: 00A90608
CLSIDFromProgID.OLE32(?,?,00000000,00ACCC40,000000FF,?,00000000,00000800,00000000,?,00ACFC08,?), ref: 00A9062D
_memcmp.LIBVCRUNTIME ref: 00A9064E

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 19163008b7ab3c0e3547a25e8015e046cee6af0123ef336170702edc9ad99b3c
Instruction ID: 48a2acfc4735d566e5ea5af706ac8112a2208a8e351b9095bca51f9121d859b0
Opcode Fuzzy Hash: 19163008b7ab3c0e3547a25e8015e046cee6af0123ef336170702edc9ad99b3c
Instruction Fuzzy Hash: A081D675A00109AFCF04DF98C984EEEB7B9FF89355F208558E516AB250DB71AE06CB60

Function 00ABA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00ABA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00ABA6BA

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

Process32NextW.KERNEL32(00000000,?), ref: 00ABA79C
CloseHandle.KERNEL32(00000000), ref: 00ABA7AB

Part of subcall function 00A4CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00A73303,?), ref: 00A4CE8A

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d8054cca0a3ce07c89559133004f4fc7681dc4b93bfc6c08e738bb170692796d
Instruction ID: 86a256b0c6708af4b1a77678dda7e2a17f3dc02c3d933410dc87dcdc05bc4b82
Opcode Fuzzy Hash: d8054cca0a3ce07c89559133004f4fc7681dc4b93bfc6c08e738bb170692796d
Instruction Fuzzy Hash: 39517D75508300AFD710EF64C986E6BBBE8FF89754F00891DF58A97252EB70D904CB92

Function 00A71391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A714C0

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dc986d0254473abb040255a999f3222ca3768edd06c4e98d8510e84445032b21
Instruction ID: efc86c980f91208037da9d198ecce37fde6733e6e4b0105a5ccab6517b19eff2
Opcode Fuzzy Hash: dc986d0254473abb040255a999f3222ca3768edd06c4e98d8510e84445032b21
Instruction Fuzzy Hash: 4E415DB6A00600ABDB256BFD8D46ABE3AF5FF41770F14C625F81ED7292E63488425361

Function 00AC6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AC62E2
ScreenToClient.USER32(?,?), ref: 00AC6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00AC6382

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 023d86156b7d697f78b573a51246e5342b9f22969e9877d6c46cef8d3e40fa1d
Instruction ID: 7c19342b4f75e8e24346ef909788c43039f194a4db1c32a14102caed4f9f0082
Opcode Fuzzy Hash: 023d86156b7d697f78b573a51246e5342b9f22969e9877d6c46cef8d3e40fa1d
Instruction Fuzzy Hash: 23511874A00649EFCB14DF68D980EAE7BB5FB95360F11856DF8259B2A0D730AD81CB50

Function 00AB1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00AB1AFD
WSAGetLastError.WSOCK32 ref: 00AB1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00AB1B8A
WSAGetLastError.WSOCK32 ref: 00AB1B94

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: c91809e44c6acb49f91ef3ec4f1f70d29a39e4965ec1d234370c21c6d4fb44cb
Instruction ID: ed61c4da37f03dbd109c01ab58a15b7a8879b46a9fb30ca2a616aeb978e613f2
Opcode Fuzzy Hash: c91809e44c6acb49f91ef3ec4f1f70d29a39e4965ec1d234370c21c6d4fb44cb
Instruction Fuzzy Hash: E741BF78600200AFE720AF24C986F6A77E5AB44718F548448FA1A9F3D3D772ED428B90

Function 00A6B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7c4cc19b2ce528714b3d8ff5f476000234fbb02da0ef15a2637486cc85c1f9
Instruction ID: ac9bedb4699f9d8d8ab72fc1161b5ac6f48000497992d1f6569acafb218c755d
Opcode Fuzzy Hash: bc7c4cc19b2ce528714b3d8ff5f476000234fbb02da0ef15a2637486cc85c1f9
Instruction Fuzzy Hash: 63415B71A10314BFD724AF38CD45BAEBBF9EB84710F10852EF556DB281D771998187A0

Function 00AA56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00AA5783
GetLastError.KERNEL32(?,00000000), ref: 00AA57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00AA57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00AA57FA

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 163e93431781c45f0e6d8d2dbb2ed9f8d6866ceae7ff01f7af55d64286fcfbab
Instruction ID: e9d8b82360df7e45dcfb13ba4ba27e6d44e352db618a041c9dd2b40e01a27d3a
Opcode Fuzzy Hash: 163e93431781c45f0e6d8d2dbb2ed9f8d6866ceae7ff01f7af55d64286fcfbab
Instruction Fuzzy Hash: 7D412D3A600610DFCB25EF55C544A5DBBE2EF49720F198888F84A6B362CB34FD01CB91

Function 00A6D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00A56D71,00000000,00000000,00A582D9,?,00A582D9,?,00000001,00A56D71,8BE85006,00000001,00A582D9,00A582D9), ref: 00A6D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A6D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A6D9AB
__freea.LIBCMT ref: 00A6D9B4

Part of subcall function 00A63820: RtlAllocateHeap.NTDLL(00000000,?,00B01444,?,00A4FDF5,?,?,00A3A976,00000010,00B01440,00A313FC,?,00A313C6,?,00A31129), ref: 00A63852

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 24948018812c460a8329e98f926b392e629979ba6c3284a85aa4f6ffbdd57f73
Instruction ID: 648a7d7652c799e42f718b86e9c8cfc8f4d3377c4f7a3cefdbb3eea6a6bc9ef7
Opcode Fuzzy Hash: 24948018812c460a8329e98f926b392e629979ba6c3284a85aa4f6ffbdd57f73
Instruction Fuzzy Hash: CB31BC72A0020AABDF25DFA5DC45EAF7BB5EB41750B054268FC08DB250EB35CD55CBA0

Function 00AC52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00AC5352
GetWindowLongW.USER32(?,000000F0), ref: 00AC5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AC5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AC53A8

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 0047d5bedd01df69123948f9c222f807a6c3af82c0934d25c8aec0827f3ff6d3
Instruction ID: 189c26d52350547b9ac335d6fafcedf7b2b192e80a95328da20b3538b139d050
Opcode Fuzzy Hash: 0047d5bedd01df69123948f9c222f807a6c3af82c0934d25c8aec0827f3ff6d3
Instruction Fuzzy Hash: EA31C134E55A88AFEB249F64CC25FE83761AB05390F5A410AFA109E3E1C7B0B9C09B41

Function 00A9AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00A9ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00A9AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00A9AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00A9ACC6

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 85a95e0a1322c36b3b5c3eadf1dc013cfb7e1ac26a45b22ec1c5cd91331a488f
Instruction ID: dda51c768cfe39f5f58e1b6fe38aa0715541b27ce631d1c416744449a03c173d
Opcode Fuzzy Hash: 85a95e0a1322c36b3b5c3eadf1dc013cfb7e1ac26a45b22ec1c5cd91331a488f
Instruction Fuzzy Hash: E2310530B40718AFEF35CBA98C04BFA7BF5ABA9321F04471BE4859A1D1C375898587D2

Function 00AC7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00AC769A
GetWindowRect.USER32(?,?), ref: 00AC7710
PtInRect.USER32(?,?,00AC8B89), ref: 00AC7720
MessageBeep.USER32(00000000), ref: 00AC778C

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: df6ee7e4c32c3101ed719177a73e9f1c0ffddabf4435f298e55d4bb873efc5a8
Instruction ID: 2884de50b50e7490a8278ac02a2902bc3f0eabde28f73b883f9f133734d77b50
Opcode Fuzzy Hash: df6ee7e4c32c3101ed719177a73e9f1c0ffddabf4435f298e55d4bb873efc5a8
Instruction Fuzzy Hash: 32415A38A052189FCB11CFA8C894FADB7F5BB59314F1A41ADE8149B261C730A942CF90

Function 00AC16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00AC16EB

Part of subcall function 00A93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A93A57
Part of subcall function 00A93A3D: GetCurrentThreadId.KERNEL32 ref: 00A93A5E
Part of subcall function 00A93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A925B3), ref: 00A93A65

GetCaretPos.USER32(?), ref: 00AC16FF
ClientToScreen.USER32(00000000,?), ref: 00AC174C
GetForegroundWindow.USER32 ref: 00AC1752

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 5b7d10d8833212e272cd0a71fccb868de195fbb0b04bcea345f0167d3d881419
Instruction ID: aeaa7265ff7a7d923e272c82b237e232981af65686c122c7fac7fb5b6ab5ec1f
Opcode Fuzzy Hash: 5b7d10d8833212e272cd0a71fccb868de195fbb0b04bcea345f0167d3d881419
Instruction Fuzzy Hash: 8F314175E00249AFCB04EFA9C981DAEB7F9EF49314B5180A9E415E7212DB31DE45CFA0

Function 00A9DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00A37620: _wcslen.LIBCMT ref: 00A37625

_wcslen.LIBCMT ref: 00A9DFCB
_wcslen.LIBCMT ref: 00A9DFE2
_wcslen.LIBCMT ref: 00A9E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00A9E018

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: acb3a27e6603a5032a3c95213bcefb5596e7b07777929bf61abb1c314fe3ee03
Instruction ID: 2d996c6e2ac565a9144853da885ea6d4e6e8cfee357dde97254dc6e77efb1e40
Opcode Fuzzy Hash: acb3a27e6603a5032a3c95213bcefb5596e7b07777929bf61abb1c314fe3ee03
Instruction Fuzzy Hash: 37219F75A40214EFCF20DFA8DA82BAEB7F8EF85750F144065E805BB246D6709E41CBA1

Function 00AC8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A49BB2

GetCursorPos.USER32(?), ref: 00AC9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A87711,?,?,?,?,?), ref: 00AC9016
GetCursorPos.USER32(?), ref: 00AC905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A87711,?,?,?), ref: 00AC9094

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 9e8aa0ea033ddf6a899a382988fbbf6a5097bd92c4df32adac2d1ee298c6d088
Instruction ID: 7a4eb19d0fbca43c091f6850ad51d95d2224dfa7f8ac0eba2ae5531358e0ac9d
Opcode Fuzzy Hash: 9e8aa0ea033ddf6a899a382988fbbf6a5097bd92c4df32adac2d1ee298c6d088
Instruction Fuzzy Hash: 49217C35600118EFDB258F98C858FEB7BF9EB89360F154069F9058B2A1C7319991DB61

Function 00A9D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00ACCB68), ref: 00A9D2FB
GetLastError.KERNEL32 ref: 00A9D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A9D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00ACCB68), ref: 00A9D376

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b936265a115fe6e0424ca521248e05e202c166449462ecc9446a8cf555d2e88e
Instruction ID: 7ca124fba2a9ef0d8f9b68175b3ff56620e3f45d2f1cde30e555917257ec4626
Opcode Fuzzy Hash: b936265a115fe6e0424ca521248e05e202c166449462ecc9446a8cf555d2e88e
Instruction Fuzzy Hash: 0A2191746082019FCB00EF68C9818ABB7E4AE55365F104A1DF499DB2A1E730D986CB93

Function 00A91571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A9102A
Part of subcall function 00A91014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A91036
Part of subcall function 00A91014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A91045
Part of subcall function 00A91014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A9104C
Part of subcall function 00A91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A91062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A915BE
_memcmp.LIBVCRUNTIME ref: 00A915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A91617
HeapFree.KERNEL32(00000000), ref: 00A9161E

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b29982b145326a733972aff849cf7c15fe6f4ef3265208646b2eb38f67c08259
Instruction ID: 19882782de7d8e52c4c36a6a36f6383ddbec3bcc1b2866ce9c8ee8c157d48768
Opcode Fuzzy Hash: b29982b145326a733972aff849cf7c15fe6f4ef3265208646b2eb38f67c08259
Instruction Fuzzy Hash: 95219A72E4010AEFDF00DFA5C985BEEB7F8EF44354F0A4859E545AB241E730AA05CBA0

Function 00AC2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00AC280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AC2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AC2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00AC2840

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 19f1b06f2dc749ff3e211e4b9732683703182e6079afad015a3416bb47519249
Instruction ID: b023d5a238ed6954f338d865566cffb91961404693c51d84e327a7eb4ec483c0
Opcode Fuzzy Hash: 19f1b06f2dc749ff3e211e4b9732683703182e6079afad015a3416bb47519249
Instruction Fuzzy Hash: D921B035204615AFD714DB24CC95FAA7BA5AF85324F16815CF42ACB6E2CB71FC82CB90

Function 00A978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A98D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00A9790A,?,000000FF,?,00A98754,00000000,?,0000001C,?,?), ref: 00A98D8C
Part of subcall function 00A98D7D: lstrcpyW.KERNEL32(00000000,?,?,00A9790A,?,000000FF,?,00A98754,00000000,?,0000001C,?,?,00000000), ref: 00A98DB2
Part of subcall function 00A98D7D: lstrcmpiW.KERNEL32(00000000,?,00A9790A,?,000000FF,?,00A98754,00000000,?,0000001C,?,?), ref: 00A98DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00A98754,00000000,?,0000001C,?,?,00000000), ref: 00A97923
lstrcpyW.KERNEL32(00000000,?,?,00A98754,00000000,?,0000001C,?,?,00000000), ref: 00A97949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00A98754,00000000,?,0000001C,?,?,00000000), ref: 00A97984

Strings

cdecl, xrefs: 00A9797B

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: f0ce8947295b9400cd8a8eb13a8493db28e917fdfd45e7679a610601ce8833a5
Instruction ID: 36a0f9abba9636a55a673de86eb6467075ad5eae554286883e070083dd92a99f
Opcode Fuzzy Hash: f0ce8947295b9400cd8a8eb13a8493db28e917fdfd45e7679a610601ce8833a5
Instruction Fuzzy Hash: C311033A300202AFCF159F35D845E7A77E9FF85350B10402AF906CB2A4EB319801C7A1

Function 00AC7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00AC7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00AC7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00AC7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00AAB7AD,00000000), ref: 00AC7D6B

Part of subcall function 00A49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A49BB2

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: dffe46e48f53e5708057b0a18f4d519dcc8cf7e906c36360ac8e3e8c8e5fec96
Instruction ID: 506422f681c162471720d9089acc66a9d9e5a8e67e67a131e6f401b87a1945d5
Opcode Fuzzy Hash: dffe46e48f53e5708057b0a18f4d519dcc8cf7e906c36360ac8e3e8c8e5fec96
Instruction Fuzzy Hash: C6115C32605615AFCB159F68DC04EAA3BA5AF45360F168728F83AD72F0DB309952DF50

Function 00AC5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00AC56BB
_wcslen.LIBCMT ref: 00AC56CD
_wcslen.LIBCMT ref: 00AC56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00AC5816

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 70efa0914ef39a5e3c1a8a59363181fac0052d9d5dbcfa39779570fd0cbb9629
Instruction ID: b83a3601b5af8f6eb399e1ad72290f3e5f5313fdaacda8d153cc224b68ac3ce3
Opcode Fuzzy Hash: 70efa0914ef39a5e3c1a8a59363181fac0052d9d5dbcfa39779570fd0cbb9629
Instruction Fuzzy Hash: E011BE71E00608A6DB20DFB5CD85FEE77BCAF11764B11846EF915D6081EB74AAC4CBA0

Function 00A61D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d83dbd0fba03edbd2458530e278e2aca0da6293081687f894ee35fa074ee916
Instruction ID: 0b42293e64fdbcf74682c05b03c22410d88658d3cf0c1927a212122eacfd0cc4
Opcode Fuzzy Hash: 1d83dbd0fba03edbd2458530e278e2aca0da6293081687f894ee35fa074ee916
Instruction Fuzzy Hash: B80181B2609A16BEF72227B96CC1F676A7DDF817B8F390325F521A12D2DB618C005270

Function 00A91A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A91A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A91A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A91A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A91A8A

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2979b3b3f6b5aefea860aa1da66471887f77d6c4017c3824414b06f2c898d2d5
Instruction ID: dd03922f001b14ad29723a9c6d25ad8ffe2b52064a92be301e6d9feff4085aa7
Opcode Fuzzy Hash: 2979b3b3f6b5aefea860aa1da66471887f77d6c4017c3824414b06f2c898d2d5
Instruction Fuzzy Hash: 2011093AE01219FFEF11DBA5CD85FADBBB8EB08750F200091EA04B7290D6716E51DB94

Function 00A9E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A9E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00A9E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A9E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A9E24D

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 1aa08867f2b546ba5bb08bff662bc7263998ddfaedfbd5f336bba4bba8353368
Instruction ID: 2cda3766917dc97daefe07501992fc8145267c21ba08e4814e847e8cc8aa767c
Opcode Fuzzy Hash: 1aa08867f2b546ba5bb08bff662bc7263998ddfaedfbd5f336bba4bba8353368
Instruction Fuzzy Hash: 1B11C876A04254BBCF05DFEC9C05EDE7FECEB55720F154655F914D3292DA70890487A0

Function 00A5D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00A5CFF9,00000000,00000004,00000000), ref: 00A5D218
GetLastError.KERNEL32 ref: 00A5D224
__dosmaperr.LIBCMT ref: 00A5D22B
ResumeThread.KERNEL32(00000000), ref: 00A5D249

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: bd91ea61abec9d476183732cc1000fd02a4b836480b25f5f4b84d891b2c95d57
Instruction ID: 9423d5fbb3276f96b17a4b4d1c69f4639dc169c6d1e6af9976eca39c0f105f35
Opcode Fuzzy Hash: bd91ea61abec9d476183732cc1000fd02a4b836480b25f5f4b84d891b2c95d57
Instruction Fuzzy Hash: 8B01D276805204BBDB219BA6EC09BEE7E69FF81732F100319FD25961D0DB70890AC7A0

Function 00AC9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00A49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00A49BB2

GetClientRect.USER32(?,?), ref: 00AC9F31
GetCursorPos.USER32(?), ref: 00AC9F3B
ScreenToClient.USER32(?,?), ref: 00AC9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00AC9F7A

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7156afdefa2149fc31f0faa3c9e9b6b81bfe1e1bca1451c8cdc69353213585f8
Instruction ID: 4aacf627f55c3a536aed7289a714c65456783abb9441e4adcf1b45a0ed190440
Opcode Fuzzy Hash: 7156afdefa2149fc31f0faa3c9e9b6b81bfe1e1bca1451c8cdc69353213585f8
Instruction Fuzzy Hash: 0311153690021AEBDB14DFA8D989EEF77B9FB45311F024459F912E3150D730BA92CBA1

Function 00A3600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A3604C
GetStockObject.GDI32(00000011), ref: 00A36060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A3606A

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 4e284112e6ab06a2a132b347e11db89ba1314bbe84d9c91707984ab60ebcfe07
Instruction ID: 590b27122b67b8011bdd62e98746508eeaea328e941048a566ee60125c0f7003
Opcode Fuzzy Hash: 4e284112e6ab06a2a132b347e11db89ba1314bbe84d9c91707984ab60ebcfe07
Instruction Fuzzy Hash: F311C072501508BFEF168FA4DC45EEABB6DFF0A3A5F058201FA0852010D732DC60DBA0

Function 00A53B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00A53B56

Part of subcall function 00A53AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00A53AD2
Part of subcall function 00A53AA3: ___AdjustPointer.LIBCMT ref: 00A53AED

_UnwindNestedFrames.LIBCMT ref: 00A53B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00A53B7C
CallCatchBlock.LIBVCRUNTIME ref: 00A53BA4

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 1efa26df27e5cb23fcd0b78d95de90d3c97c573741904870ea4149360173b265
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 0D012933100148BBDF126F95CD42EEB3B69FF98799F054014FE4896121C732E965DBA0

Function 00A63073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00A313C6,00000000,00000000,?,00A6301A,00A313C6,00000000,00000000,00000000,?,00A6328B,00000006,FlsSetValue), ref: 00A630A5
GetLastError.KERNEL32(?,00A6301A,00A313C6,00000000,00000000,00000000,?,00A6328B,00000006,FlsSetValue,00AD2290,FlsSetValue,00000000,00000364,?,00A62E46), ref: 00A630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A6301A,00A313C6,00000000,00000000,00000000,?,00A6328B,00000006,FlsSetValue,00AD2290,FlsSetValue,00000000), ref: 00A630BF

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 0d9da95f6bae83af0480b05ce5973cf2101063c8042398a5043c009cec6bdbc7
Instruction ID: d3a9cbefc0f21a6844b8963a8bf4dcc640137421cd0385135cc9b530d021923d
Opcode Fuzzy Hash: 0d9da95f6bae83af0480b05ce5973cf2101063c8042398a5043c009cec6bdbc7
Instruction Fuzzy Hash: E1018833751222ABCF318BB9AC44D5777B8DF45771B160620F91AD7140D721D907C6D0

Function 00A97464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00A9747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A97497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A974CA

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: b763fc7491b84c5bdba3bb3562c5379e5fb9f999900da41eb3e0c7c646a2d7dd
Instruction ID: 3945594566d1767613d50eff0c8d3303646b6b0ed1302ac726f90d81fcbb4adc
Opcode Fuzzy Hash: b763fc7491b84c5bdba3bb3562c5379e5fb9f999900da41eb3e0c7c646a2d7dd
Instruction Fuzzy Hash: B711ADB5315310ABEB20CF58DD08F9A7BFCEF80B10F108569E61AD6192D7B0E904DBA0

Function 00A9B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A9ACD3,?,00008000), ref: 00A9B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A9ACD3,?,00008000), ref: 00A9B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A9ACD3,?,00008000), ref: 00A9B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A9ACD3,?,00008000), ref: 00A9B126

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 3c0a85b39da74ae76fce832f4fdad618ff831db45cfe4af1dfd26e34a8d0ad4b
Instruction ID: 5c522c195133da1fdc5a121d6456949b910adabfcfc6a86021850426142c6baf
Opcode Fuzzy Hash: 3c0a85b39da74ae76fce832f4fdad618ff831db45cfe4af1dfd26e34a8d0ad4b
Instruction Fuzzy Hash: D1115E31E1152CD7CF00DFE5EA68AEEBBB8FF49711F114295D945B2141CB3055518B61

Function 00AC7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AC7E33
ScreenToClient.USER32(?,?), ref: 00AC7E4B
ScreenToClient.USER32(?,?), ref: 00AC7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00AC7E8A

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: b9b62f4a091d9f641532e784eb322f26fe75381c6fb3635b6789e33bdba2c495
Instruction ID: 7b99911ebef857ea0e205499de0637ed11d3cd3a02b3afd8c52ffc5c24939a6c
Opcode Fuzzy Hash: b9b62f4a091d9f641532e784eb322f26fe75381c6fb3635b6789e33bdba2c495
Instruction Fuzzy Hash: 481114B9D0024AAFDB41DF98C984AEEBBF5FF08310F515056E915E3210D735AA55CF50

Function 00A92DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A92DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A92DD6
GetCurrentThreadId.KERNEL32 ref: 00A92DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A92DE4

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 41fdb66be469080832d383d23222db1eb7a1894024c614f50cbf76853ee08548
Instruction ID: b71a69147f610accfb3e3b043bab5d68b9d9e2e4661d67f0c5bdeff4df3ea9e4
Opcode Fuzzy Hash: 41fdb66be469080832d383d23222db1eb7a1894024c614f50cbf76853ee08548
Instruction Fuzzy Hash: CDE06D71601224BAEB205BA29C0DFEB7EACEF42BB1F021115F10AD1080DAA08942C7B0

Function 00AC8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A49693
Part of subcall function 00A49639: SelectObject.GDI32(?,00000000), ref: 00A496A2
Part of subcall function 00A49639: BeginPath.GDI32(?), ref: 00A496B9
Part of subcall function 00A49639: SelectObject.GDI32(?,00000000), ref: 00A496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00AC8887
LineTo.GDI32(?,?,?), ref: 00AC8894
EndPath.GDI32(?), ref: 00AC88A4
StrokePath.GDI32(?), ref: 00AC88B2

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: aea46abd0b2e949968560d6a038915dea33370d3df11be02f7866e3a65c5ebd6
Instruction ID: ea46cc11008b13cffb2a435f4890bb3022dd9aa2ae5ba985195cb9d9f98a6065
Opcode Fuzzy Hash: aea46abd0b2e949968560d6a038915dea33370d3df11be02f7866e3a65c5ebd6
Instruction Fuzzy Hash: C8F05E36041258FADB129F94AC09FDE3F59AF16320F058104FA55650E1CB795522CFE5

Function 00A498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A498CC
SetTextColor.GDI32(?,?), ref: 00A498D6
SetBkMode.GDI32(?,00000001), ref: 00A498E9
GetStockObject.GDI32(00000005), ref: 00A498F1

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e912993c2a70ad0b64bcab19aad60772001bada8bc50196fa5a9bf9f6aedc3e5
Instruction ID: 5bb73fbc72eb9c8f67f10f64794b2f3cab031ea856068e1767982db35e635ca8
Opcode Fuzzy Hash: e912993c2a70ad0b64bcab19aad60772001bada8bc50196fa5a9bf9f6aedc3e5
Instruction Fuzzy Hash: 6CE06531644244AEDB219BB5BC09FDD3F10AB51335F188319F6FE540E1C37186519B10

Function 00A9162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A91634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A911D9), ref: 00A9163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A911D9), ref: 00A91648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A911D9), ref: 00A9164F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 448aeff7222941ab9d400bec6a10e9226914000fdfa23b65e5de019bff503b2b
Instruction ID: 235c8d0c4f2d1c7090246e0daeaf25d7e59db48f8b8745e2fbab83554e3b15ac
Opcode Fuzzy Hash: 448aeff7222941ab9d400bec6a10e9226914000fdfa23b65e5de019bff503b2b
Instruction Fuzzy Hash: 9EE08675A01211DBDB205FE4AD0DF863BBCBF447A5F194808F349C9080D6348542C750

Function 00A8D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A8D858
GetDC.USER32(00000000), ref: 00A8D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A8D882
ReleaseDC.USER32(?), ref: 00A8D8A3

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5365587873ca3907a41c399bc405936d82decebf9a934b093974d99da9cc2d4e
Instruction ID: ded43c589fd76c08d91d763bfe98f5b7566e2786d55deea5633d4ab79af7aa4f
Opcode Fuzzy Hash: 5365587873ca3907a41c399bc405936d82decebf9a934b093974d99da9cc2d4e
Instruction Fuzzy Hash: 20E09AB5800205DFCF41EFE4DA0CA6DBBB5FB48321F159459F84AE7250C7399942AF50

Function 00A8D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00A8D86C
GetDC.USER32(00000000), ref: 00A8D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A8D882
ReleaseDC.USER32(?), ref: 00A8D8A3

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f1ed438b417d8abe24df12056e6399eeb19f95afab3673d56d3620ec0949722c
Instruction ID: f06fda44aebb7ee859a62cd24acf64b8d158aaeb6a78220b07483ccb322f7c0e
Opcode Fuzzy Hash: f1ed438b417d8abe24df12056e6399eeb19f95afab3673d56d3620ec0949722c
Instruction Fuzzy Hash: 16E092B5800204EFCF51EFE4DA0CA6DBBB5BB48321F159449F94AE7250CB399902AF50

Function 00AA4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A37620: _wcslen.LIBCMT ref: 00A37625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00AA4ED4

Strings

*, xrefs: 00AA4E10
LPT, xrefs: 00AA4DFB

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 107e4d6515d489b182c7006fda6010f87bac32907aaa752490f6040c734a7009
Instruction ID: 6eefc98ca6e7a1de66e06b04519f8119c7af51f65f4432f3cd37773a3503aa28
Opcode Fuzzy Hash: 107e4d6515d489b182c7006fda6010f87bac32907aaa752490f6040c734a7009
Instruction Fuzzy Hash: A6914D75A002049FCB14DF58C585EAEBBF1AF89704F198099F80A9F3A2C775ED85CB91

Function 00A5E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A5E30D

Strings

pow, xrefs: 00A5E2E5, 00A5E302

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cc41a7b92507eb21d8e963c83ed6bd084045ebe1c33e181aaaa5f6746121e9b1
Instruction ID: e850980c812cd3f3bc4ffe920931cfd1a57af80a5f0ed06b1a3ef5d60639bae9
Opcode Fuzzy Hash: cc41a7b92507eb21d8e963c83ed6bd084045ebe1c33e181aaaa5f6746121e9b1
Instruction Fuzzy Hash: 5F517B71A2C20196CB19F714CA013BD3BB4BB10756F304D99E8D6862E9EB358DDADB42

Function 00A4E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00A4E1B1

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: dda0aa73edc06364e22ff1ae89c7df0dbcae95ca46c48adf9d15212ce730e5b2
Instruction ID: 8a947db682ed707f69a9f96976523ddc034fc1f0436a67e3d2a404f281de8044
Opcode Fuzzy Hash: dda0aa73edc06364e22ff1ae89c7df0dbcae95ca46c48adf9d15212ce730e5b2
Instruction Fuzzy Hash: B4512139A04246DFDF15EF68C481AFA7BA8FFA5310F248159F8919B2D0D6749D42CBA0

Function 00A4F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A4F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A4F2BB

Strings

@, xrefs: 00A4F2AF

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: b20fb6871539af15b1c150fce7f06b3e3b35515c46505b803f99ec725f35d261
Instruction ID: cfa75d623d8672bc2aa62cf2c8504b5ebc60aa25e555f2080a81edeaec18d879
Opcode Fuzzy Hash: b20fb6871539af15b1c150fce7f06b3e3b35515c46505b803f99ec725f35d261
Instruction Fuzzy Hash: C65154724087889BD320EF50DD86BAFBBF8FB85310F81884CF1D9411A5EB308529CB66

Function 00AB5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00AB57E0
_wcslen.LIBCMT ref: 00AB57EC

Strings

CALLARGARRAY, xrefs: 00AB57E6, 00AB57EB

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 2e9b30d0a5dc9e1b67bfbb4cc2e47629437b959f0ba59b89f59e4dc26d204958
Instruction ID: d353e8ba5004269e2f1f2849e950a54a2752d81ecb8b4102611ea89684d78bb0
Opcode Fuzzy Hash: 2e9b30d0a5dc9e1b67bfbb4cc2e47629437b959f0ba59b89f59e4dc26d204958
Instruction Fuzzy Hash: 05418D71E002099FCB14DFB9C981AEEBBF9FF99324F144069E505A7252E7709D81DB90

Function 00AAD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AAD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00AAD13A

Strings

|, xrefs: 00AAD10B

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: d4444d8b4705ce1d34b48aa36d32ed8de2627268f8f0f776202ea06f37a14653
Instruction ID: ad7169d34807980e871f7ce4b3880648028ae4a94b074850a2372a80eddb2fee
Opcode Fuzzy Hash: d4444d8b4705ce1d34b48aa36d32ed8de2627268f8f0f776202ea06f37a14653
Instruction Fuzzy Hash: 92314F71D00219ABCF15EFA4CD85EEEBFB9FF09300F104119F815A6161E735AA46CB50

Function 00AC356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00AC3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00AC365C

Strings

static, xrefs: 00AC35BC

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 45def0a4745601bf4725fe0efa0ec9a8942bd5d779fd273e6c777822396839b3
Instruction ID: a01b167f48325f8c8b39a11c63f0b07f29643b4b1dbea2796c2f4c2975107c10
Opcode Fuzzy Hash: 45def0a4745601bf4725fe0efa0ec9a8942bd5d779fd273e6c777822396839b3
Instruction Fuzzy Hash: F8317A72110204AEDB14DF68DC81FBB73A9FF88720F02D61DF9A597280DA31AD819B60

Function 00AC4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00AC461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AC4634

Strings

', xrefs: 00AC458E

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c13bc2d2d403f14dbba09f6d20f8f147a60e4337c3b4702cdb714b48939eacd4
Instruction ID: 94970cdbac92f2cc88739d5b76c4524f519d780f594b526413d11984fd2978ba
Opcode Fuzzy Hash: c13bc2d2d403f14dbba09f6d20f8f147a60e4337c3b4702cdb714b48939eacd4
Instruction Fuzzy Hash: DF311874A013099FDB14CFA9C9A0FEABBB5FF49300F15406AE905AB355E770A941CF94

Function 00AC31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00AC327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AC3287

Strings

Combobox, xrefs: 00AC3249

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: c72a6316c51cdd1b731dbb8f331c570cddd5254d7d33337c9b310d0b55645c63
Instruction ID: 5cfa2820b882521447f3ba572f1c2ff1174aa2bd35f9234276711bf94d0544aa
Opcode Fuzzy Hash: c72a6316c51cdd1b731dbb8f331c570cddd5254d7d33337c9b310d0b55645c63
Instruction Fuzzy Hash: 2C11E2723002087FEF259F94DC80FFB37AAEBA4364F128128F91897290D6759D518760

Function 00AC3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00A3604C
Part of subcall function 00A3600E: GetStockObject.GDI32(00000011), ref: 00A36060
Part of subcall function 00A3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A3606A

GetWindowRect.USER32(00000000,?), ref: 00AC377A
GetSysColor.USER32(00000012), ref: 00AC3794

Strings

static, xrefs: 00AC3757

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 1a87ead5400cff7feeef91842a4319dd2be98d586a12ed15bf4206e41234b2e3
Instruction ID: 38eddf9200670c2404f333fe86ec5b7ebf3e1695834748882372c7fa3231c797
Opcode Fuzzy Hash: 1a87ead5400cff7feeef91842a4319dd2be98d586a12ed15bf4206e41234b2e3
Instruction Fuzzy Hash: 041129B2610209AFDF01DFA8CC46EEA7BB8FB09314F018918F956E3250D735E9519B50

Function 00AACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00AACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00AACDA6

Strings

<local>, xrefs: 00AACD66

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 50535685a2ea98c1a3b2c9adbbec32ee124f4e977fa2e72de91d079a1e7a5989
Instruction ID: 944ffb88cfaa98869878089f61ca8e153c9e8aa0490a8bbd8ede08fe6e74c073
Opcode Fuzzy Hash: 50535685a2ea98c1a3b2c9adbbec32ee124f4e977fa2e72de91d079a1e7a5989
Instruction Fuzzy Hash: 2411CE71205636BAE7384BA68C89EF7BEACEF137B4F00422AB119831C0D7749941D6F0

Function 00AC3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00AC34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00AC34BA

Strings

edit, xrefs: 00AC348F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 18accf41b6ddb9bfc298b05a896c86987299c15fc2132e9a0336575ba2cf1b4f
Instruction ID: 8ae3f158660d280bfb88dddced5a2ada6efa61bbf60c1ec0c9d87561997d97a9
Opcode Fuzzy Hash: 18accf41b6ddb9bfc298b05a896c86987299c15fc2132e9a0336575ba2cf1b4f
Instruction Fuzzy Hash: B9119D72100208AAEF158F64DD40FAA376AEB05375F528728F965971D0C735DC519B50

Function 00A96C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

CharUpperBuffW.USER32(?,?,?), ref: 00A96CB6
_wcslen.LIBCMT ref: 00A96CC2

Strings

STOP, xrefs: 00A96CBC, 00A96CC1

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: bb07c66bde0ce115a2f91b957867173026becb5488f4098753750baf2a51abd0
Instruction ID: f2f652c59c728cfe67f0c33358935ca59d6f88e169375776889112e6c85f0833
Opcode Fuzzy Hash: bb07c66bde0ce115a2f91b957867173026becb5488f4098753750baf2a51abd0
Instruction Fuzzy Hash: CD01C032B149268BCF21AFFDDD819BF77F5EE65714B110528F86296190EB31E940C650

Function 00A91CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

Part of subcall function 00A93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A93CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A91D4C

Strings

ListBox, xrefs: 00A91D16
ComboBox, xrefs: 00A91CEB

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: aa4bfc83a85084fe3cf1294a377f7fe0dde05ee684bf44da379aaec38537dcec
Instruction ID: 04675c2c41e4fedcdfb49e3b8da8f2bbc15182333f34e9e84b1034fabbbdad09
Opcode Fuzzy Hash: aa4bfc83a85084fe3cf1294a377f7fe0dde05ee684bf44da379aaec38537dcec
Instruction Fuzzy Hash: 4501B171B01219AB8F08EBA4CE55CFF77E8FB46390B440A19F822672C1EA7059088660

Function 00A31CD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A32B12,(o,?,?,?,?,?,?,?,00A31CAD,?), ref: 00A31D11

Part of subcall function 00A36B57: _wcslen.LIBCMT ref: 00A36B6A

Strings

0m, xrefs: 00A31D1D
w, xrefs: 00A31D2B

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FullNamePath_wcslen
String ID: 0m$w
API String ID: 4019309064-3308241917
Opcode ID: a86c8ac5847deaa67befd39de4e105243cb859304893ed0196be3fda733ce05d
Instruction ID: be2496db1e06cdf30144ef201b525d8283e5d6c2bd3097d24fa290211733e294
Opcode Fuzzy Hash: a86c8ac5847deaa67befd39de4e105243cb859304893ed0196be3fda733ce05d
Instruction Fuzzy Hash: D911DB31A00209ABCF54FBA4CA06EDD77FCBF08380F4084A5B989D7290DE70DB848B10

Function 00A91BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

Part of subcall function 00A93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A93CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A91C46

Strings

ListBox, xrefs: 00A91C10
ComboBox, xrefs: 00A91BE5

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 83a75e406fba00c17980a09c0c98253be4b5df1d4fe508bff3b5d7c1385e7915
Instruction ID: 38d1ea639c0fd9bdc2f86031ca595db864990e1977822541edb9c8b35712de5c
Opcode Fuzzy Hash: 83a75e406fba00c17980a09c0c98253be4b5df1d4fe508bff3b5d7c1385e7915
Instruction Fuzzy Hash: 8A01A275B851097BCF05EBA0CB52EFF77E89F51340F140019F91667281EA649E0CC6B2

Function 00A91C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

Part of subcall function 00A93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A93CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00A91CC8

Strings

ListBox, xrefs: 00A91C94
ComboBox, xrefs: 00A91C69

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ab0cc8bdb99ea97a5142096e9700357496b0e9b7331f67afe78118c3dd9ffe72
Instruction ID: a077f64d240e2df6611aed6a9be57aff35aa2e3b6c561f48f876c7a4c9bc3206
Opcode Fuzzy Hash: ab0cc8bdb99ea97a5142096e9700357496b0e9b7331f67afe78118c3dd9ffe72
Instruction Fuzzy Hash: 3701D1B6B801197BCF04EBA0CB02EFF77E8AB11340F540415B902B3281EAA09F18C672

Function 00A91D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A39CB3: _wcslen.LIBCMT ref: 00A39CBD

Part of subcall function 00A93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A93CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00A91DD3

Strings

ListBox, xrefs: 00A91DA0
ComboBox, xrefs: 00A91D75

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 58686db1092e181e137b0e70241161b53c17c341b4a461c997d8a4dd3acfc214
Instruction ID: f9cdfb109abca9455a9a06288a0851fdb9f444577bcc1e35bf8a7ce0b6b71a99
Opcode Fuzzy Hash: 58686db1092e181e137b0e70241161b53c17c341b4a461c997d8a4dd3acfc214
Instruction Fuzzy Hash: F8F0AF75B412196BDF04E7A4CE52EFF77F8AB02350F040D19F922A72C1EAA05A0882A1

Function 00AB747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00AB7493
_wcslen.LIBCMT ref: 00AB74B9

Strings

3, 3, 16, 1, xrefs: 00AB7483

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 71eef213f44a4f09e458597c32ee6bcd421236c3a253ef25cb5fbac3a8df3e24
Instruction ID: 24f13944c8e6042327745d789026fa6946c02e9887b6877ec66f51648f443c10
Opcode Fuzzy Hash: 71eef213f44a4f09e458597c32ee6bcd421236c3a253ef25cb5fbac3a8df3e24
Instruction Fuzzy Hash: 29E02B0260422060923113799DC29BF568DEFC9752710182BFD81C2267EAE48DD193A0

Function 00A90B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A90B23

Strings

Error allocating memory., xrefs: 00A90B1C
AutoIt, xrefs: 00A90B17

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: ed976a4a5e8c12e1ef42abe7cce39d07c0e5fd0cc63499943b15c0c2e6ac0409
Instruction ID: 943772ab3728bbe2c81310d00f90fa95b0762f6557c32d91e57f14614959a601
Opcode Fuzzy Hash: ed976a4a5e8c12e1ef42abe7cce39d07c0e5fd0cc63499943b15c0c2e6ac0409
Instruction Fuzzy Hash: F6E0DF322883083AD21437947E03FCA7A849F09B65F10082AFB8C958C38AE224A006A9

Function 00A50D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A4F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A50D71,?,?,?,00A3100A), ref: 00A4F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00A3100A), ref: 00A50D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A3100A), ref: 00A50D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A50D7F

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 3d68b12863cf6f1601348f06c3e665b68224a07c973ec2d5fb389911b4105841
Instruction ID: ec3448f250c2a382e3791b3ca0e2fa9b32757f75759cd7a1c9623ce39a321e7a
Opcode Fuzzy Hash: 3d68b12863cf6f1601348f06c3e665b68224a07c973ec2d5fb389911b4105841
Instruction Fuzzy Hash: A6E039B52003418FD320AFACD504B82BBE1BB00741F054D2DE886C6651EBB4E4498B91

Function 00AA3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00AA302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00AA3044

Strings

aut, xrefs: 00AA3038

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 856d1227d67281fee2439af246e85cf096b2c95cda498d56eef8d6a4ec13873b
Instruction ID: e7127f066763912d0022328e1a5c35b023767a87a8625b8237d13dabb0cc1bcb
Opcode Fuzzy Hash: 856d1227d67281fee2439af246e85cf096b2c95cda498d56eef8d6a4ec13873b
Instruction Fuzzy Hash: 8FD05E7250032877DA20F7E4AC0EFDB3A7CDB04760F0006A1B659E2091DEB09985CAD0

Function 00A8D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A8D220

Strings

%.3d, xrefs: 00A8D22B
X64, xrefs: 00A8D2A8

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: ec69f34376133ab98aca1603ab763a497b8330d4663c0a4ba7cc6fc457f71d8a
Instruction ID: 90cc194c6db39524c72d022a24f52deb2d72cd50006211cf61b53a6c822b81fc
Opcode Fuzzy Hash: ec69f34376133ab98aca1603ab763a497b8330d4663c0a4ba7cc6fc457f71d8a
Instruction Fuzzy Hash: 03D012B5808108F9CB50B7D0DC49CF9B37CFB48301F508452F90692080F624C5096761

Function 00AC2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AC232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00AC233F

Part of subcall function 00A9E97B: Sleep.KERNEL32 ref: 00A9E9F3

Strings

Shell_TrayWnd, xrefs: 00AC2325

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ef1ba2612e784e8746d20f1e9da43de72fbb7618498cc7a20ff84a625cf5cedd
Instruction ID: d61a7e79e6f9404ba9f710627c75d964a4733e09933856a7e670e0e7d2447b88
Opcode Fuzzy Hash: ef1ba2612e784e8746d20f1e9da43de72fbb7618498cc7a20ff84a625cf5cedd
Instruction Fuzzy Hash: 5AD022327C0300B7E664F3B0DC0FFC6BA04AB00B20F010906B30AEA0D0C8F8A802CB00

Function 00AC2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AC236C
PostMessageW.USER32(00000000), ref: 00AC2373

Part of subcall function 00A9E97B: Sleep.KERNEL32 ref: 00A9E9F3

Strings

Shell_TrayWnd, xrefs: 00AC2365

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b27f3fd8895df79a8d3413d09cb770141f0aada45b0cd0a1b8833b794cafa4ac
Instruction ID: 6d1f4b48dce91def9c62d8b470b6bd81247736cc0f1e3b92f18e9ce3ab5cfb64
Opcode Fuzzy Hash: b27f3fd8895df79a8d3413d09cb770141f0aada45b0cd0a1b8833b794cafa4ac
Instruction Fuzzy Hash: 4CD0C9327C13147AE664F7B19D0FFC6A654AB04B24F014916B75AEA1D1C9A8A8028A54

Function 00A4F7E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32(00010435), ref: 00A4F7EA

Strings

hq, xrefs: 00A4F804
(o, xrefs: 00A4F7F0

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: DestroyIcon
String ID: (o$hq
API String ID: 1234817797-1308652124
Opcode ID: e9fdf4f464ea0995e0c568b07ef255851d936b228e23342311c1d8b4622263d0
Instruction ID: 26be40ab5505c2660452bf6c508382bbe9966f6beaaa3a3880bca0ad07f64185
Opcode Fuzzy Hash: e9fdf4f464ea0995e0c568b07ef255851d936b228e23342311c1d8b4622263d0
Instruction Fuzzy Hash: 8FC01221B0820257C70CB7AC6A6553A29DAEBC13007000878B203C33E1CE6088004AB7

Function 00A6BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00A6BE93
GetLastError.KERNEL32 ref: 00A6BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A6BEFC

Memory Dump Source

Source File: 00000000.00000002.1650102084.0000000000A31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.1650046343.0000000000A30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650148960.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650203692.0000000000AFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650224624.0000000000B04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 36793534ab7aba687a81dd0cab8f6f4dd9bc8240a36f0a069061bd567197db5f
Instruction ID: f19093bb1b1da9694b11f64f6023f2f801507180092b39036296cb079beff827
Opcode Fuzzy Hash: 36793534ab7aba687a81dd0cab8f6f4dd9bc8240a36f0a069061bd567197db5f
Instruction Fuzzy Hash: 7441D435610206AFCF21CFA5CD54AAABBB5AF41320F154169F959DB1B1DB31CD81CB70

Source: global traffic	TCP traffic: 192.168.2.4:56667 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.4:58615 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=bYMrBKnVbhn1Xtn&MD=5W1rvdZU HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /clientwebservice/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: fe3cr.delivery.mp.microsoft.com
Source: global traffic	HTTP traffic detected: GET /sls/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=bYMrBKnVbhn1Xtn&MD=5W1rvdZU HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=bYMrBKnVbhn1Xtn&MD=5W1rvdZU HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: 86.23.85.13.in-addr.arpa

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:50711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:50714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:50722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.206:443 -> 192.168.2.4:58616 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:58618 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:58619 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:58620 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.206
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.206
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.206
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.206
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.206
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.206
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.206

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58619
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58616
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58618
Source: unknown	Network traffic detected: HTTP traffic on port 50722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58617
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58620
Source: unknown	Network traffic detected: HTTP traffic on port 50710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58619 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58617 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58622 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58620 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50722
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50705
Source: unknown	Network traffic detected: HTTP traffic on port 58624 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58622
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58624
Source: unknown	Network traffic detected: HTTP traffic on port 50705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58618 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58616 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50711 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 62

Chrome Cache Entry: 63

Chrome Cache Entry: 64

Chrome Cache Entry: 65

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
file.exe

Function 00A342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00A342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00A72BA5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62
COMMON

Function 00ABAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Function 00A32CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00A7065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00A3344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00A32B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00A33170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00A31410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Function 00A310F3 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 153
comCOMMON

Function 00A32C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00A33923 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
windowCOMMON

Function 00A33B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre